Vulnerability Details CVE-2025-69263
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.6%
CVSS Severity
CVSS v3 Score 7.5
References