THREATOPS
THREAT OPSThreat News › [NVD] CVE-2025-69263 (HIGH 7.5) — pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who p

[NVD] CVE-2025-69263 (HIGH 7.5) — pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who p

lownvdPublished 2026-01-07

CVE-2025-69263 CVSS: 7.5 HIGH Published: 2026-01-07T22:15:43.727

pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can

Indicators of compromise

Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-69263