{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69263", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-30T19:36:06.780Z", "datePublished": "2026-01-07T21:31:07.567Z", "dateUpdated": "2026-02-26T15:04:55.589Z"}, "containers": {"cna": {"title": "pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies", "problemTypes": [{"descriptions": [{"cweId": "CWE-494", "lang": "en", "description": "CWE-494: Download of Code Without Integrity Check", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw"}, {"name": "https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85", "tags": ["x_refsource_MISC"], "url": "https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85"}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"version": "< 10.26.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T21:31:07.567Z"}, "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0."}], "source": {"advisory": "GHSA-7vhp-vf5g-r2fw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69263", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-09T04:55:27.484400Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:55.589Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-69263", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-09T04:55:27.484400Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T21:40:15.979Z"}}], "cna": {"title": "pnpm Lockfile Integrity Bypass Allows Remote Dynamic Dependencies", "source": {"advisory": "GHSA-7vhp-vf5g-r2fw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "pnpm", "product": "pnpm", "versions": [{"status": "affected", "version": "< 10.26.0"}]}], "references": [{"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw", "name": "https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85", "name": "https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-494", "description": "CWE-494: Download of Code Without Integrity Check"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T21:31:07.567Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69263", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:04:55.589Z", "dateReserved": "2025-12-30T19:36:06.780Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-07T21:31:07.567Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:*:node.js:*", "matchCriteriaId": "A3F90B60-F345-4158-ABB3-A5F444A64C65", "versionEndExcluding": "10.26.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0."}], "id": "CVE-2025-69263", "lastModified": "2026-01-12T21:52:22.250", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-07T22:15:43.727", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-494"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "pnpm: pnpm Lockfile Integrity Bypass", "id": "2427703", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427703"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-494", "details": ["No description is available for this CVE."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-69263", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-01-07T21:31:07Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-69263\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-69263\nhttps://github.com/pnpm/pnpm/commit/0958027f88a99ccefe7e9676cdebba393dfbdc85\nhttps://github.com/pnpm/pnpm/security/advisories/GHSA-7vhp-vf5g-r2fw"], "threat_severity": "Important"}

{"created": "2026-01-08T09:48:01.688690+00:00", "updated": "2026-01-08T09:48:01.688738+00:00", "vendors": ["pnpm", "pnpm$PRODUCT$pnpm"]}