CVE-2025-69263
Supply Chain Attack vulnerability in pnpm (npm)

Supply Chain Attack No known exploit

What is CVE-2025-69263 About?

This vulnerability allows a remote server to serve different content on each install for HTTP tarball and git-hosted tarball dependencies due to the absence of integrity hashes in the lockfile. Attackers can leverage this to deliver targeted, evolving malicious payloads, making exploitation moderately difficult as it requires controlling a package's dependency or the remote server.

Affected Software

pnpm <10.26.0

Technical Details

The pnpm package manager stores HTTP tarball dependencies and git-hosted tarballs in the lockfile without integrity hashes. The tarball resolver in pnpm (specifically resolving/tarball-resolver/src/index.ts) only records the URL, omitting any integrity field. Consequently, the resulting lockfile entry lacks the necessary integrity metadata to verify the downloaded content. This means pnpm cannot detect if the remote server provides different content on subsequent installs, even when a lockfile is committed. Attackers can exploit this by publishing a package that depends on such an HTTP tarball, and then altering the content served by the remote tarball URL. This affects HTTP/HTTPS tarball URLs, Git shorthand dependencies, and general Git URLs, but not npm registry packages which include integrity hashes.

What is the Impact of CVE-2025-69263?

Successful exploitation may allow attackers to distribute varying malicious code to different users or CI/CD environments, bypass security audits by serving benign code initially and malicious code later, and conduct supply chain attacks where the payload changes over time. This can lead to arbitrary code execution or system compromise.

What is the Exploitability of CVE-2025-69263?

Exploitation of this vulnerability is moderately complex, requiring an attacker to either control a remote server hosting a tarball dependency or to publish a package with a malicious HTTP/git tarball dependency. No authentication is inherently required for the victim to install the package, but the attacker needs to set up the malicious dependency. There are no specific privilege requirements on the victim's system, as the attack leverages how the package manager resolves dependencies. The attack is remote, as it relies on content served from a remote server. A significant constraint is that the victim must install a package that incorporates such a dependency. The risk factors increase if developers frequently use HTTP/git tarball dependencies from untrusted sources or if a legitimate dependency's hosting server is compromised.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2025-69263?

Available Upgrade Options

  • pnpm
    • <10.26.0 → Upgrade to 10.26.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2025-69263?

Similar Vulnerabilities: CVE-2021-29921 , CVE-2021-4113 , CVE-2020-8174 , CVE-2020-8203 , CVE-2023-45803

All Rights reserved 2025
Privacy Policy