THREAT OPS › Threat News › [NVD] CVE-2025-69263 (HIGH 7.5) — pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who p
[NVD] CVE-2025-69263 (HIGH 7.5) — pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who p
CVE-2025-69263 CVSS: 7.5 HIGH Published: 2026-01-07T22:15:43.727
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can
Indicators of compromise
- CVE-2025-69263cve
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-69263