CNNVD-202601-1121 Information

CNNVD ID

CNNVD-202601-1121

Related CVE

CVE-2025-69262

• CNNVD Published: 2026-01-07

Description (Chinese)

pnpm是pnpm开源的一个包管理器。 pnpm 6.25.0版本至10.26.2版本存在代码注入漏洞，该漏洞源于在.npmrc配置文件中使用环境变量替换时存在命令注入，可能导致远程代码执行。

Description (English)

pnpm is a package manager for pnpm open source. Pnpm Versions 6.25.0 to 10.26.2 contain a code-injection loophole, which results from a command-injection when the environment variable is replaced in the .npmrc configuration file, which may lead to remote code execution.

Hazard Level

Medium

Vulnerability Type

代码注入

Affected Vendor

pnpm

Published

2026-01-07

Last Modified

2026-02-24

References

https://github.com/pnpm/pnpm/releases/tag/v10.27.0 https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx

Patch

https://github.com/pnpm/pnpm/releases