9 matches found
Protection Mechanism Failure
Overview Affected versions of this package are vulnerable to Protection Mechanism Failure during pnpm install. An attacker can execute arbitrary code by introducing a malicious git-hosted dependency that leverages prepare, prepublish, or prepack scripts during the fetch phase. Remediation Upgrade...
CVE-2025-69264 pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the...
CVE-2025-69264
CVE-2025-69264 affects pnpm v10.x prior to 10.26.0. It describes a bypass where git-hosted dependencies can execute scripts during the FETCH phase of pnpm install, despite the v10 feature that disables dependency lifecycle scripts by default. Specifically, while postinstall scripts are blocked vi...
CVE-2025-69264 pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the...
CVE-2025-69264 pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the...
CVE-2025-69264
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the...
pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"
pnpm v10+ Git Dependency Script Execution Bypass Summary A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10...
GHSA-379Q-355J-W6RJ pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"
pnpm v10+ Git Dependency Script Execution Bypass Summary A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10...
PT-2026-1941
Name of the Vulnerable Software and Affected Versions pnpm versions 10.0.0 through 10.25 Description pnpm is a package manager affected by an issue where git-hosted dependencies can execute arbitrary code during the pnpm install process. This bypasses the security feature introduced in version 10...