Description

pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.

Related CPE's

a

pnpm

pnpm

*

*

*

*

*

*

node.js

Vulnerable

References

https://github.com/pnpm/pnpm/releases/tag/v10.27.0

ProductRelease Notes

https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx

ExploitVendor Advisory

https://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx

ExploitVendor Advisory

Weaknesses

[email protected]

Secondary
CWE-78CWE-94

CVSS impact metrics

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

7.5 · High

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2026-01-07T23:15:50.330Z

5 days ago

Last modified

2026-01-12T21:50:45.267Z

3 hours ago