{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-07T18:51:07Z",
  "bugzilla" : {
    "description" : "pnpm: pnpm: Remote code execution via command injection in tokenHelper environment variable substitution",
    "id" : "2427662",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2427662"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-78",
  "details" : [ "pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.", "A flaw was found in pnpm. This command injection vulnerability allows an attacker who can control environment variables during pnpm operations to execute arbitrary code. The vulnerability arises from improper handling of environment variable substitution within .npmrc configuration files, particularly when tokenHelper settings are used. Successful exploitation can lead to remote code execution in build environments." ],
  "statement" : "This vulnerability is rated Moderate for Red Hat. The flaw in pnpm allows for remote code execution via command injection when environment variable substitution is used in `.npmrc` files with `tokenHelper` settings. Exploitation requires an attacker to control environment variables and place malicious scripts, primarily impacting build environments such as CI/CD pipelines or Docker builds. Red Hat products like Enterprise Application Platform are not directly affected by this pnpm vulnerability.",
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "org.keycloak-keycloak-parent",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "org.keycloak-keycloak-parent",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-69262\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-69262\nhttps://github.com/pnpm/pnpm\nhttps://github.com/pnpm/pnpm/security/advisories/GHSA-2phv-j68v-wwqx" ],
  "name" : "CVE-2025-69262",
  "mitigation" : {
    "value" : "To reduce exposure, avoid using the tokenHelper setting in .npmrc configuration files. Instead, configure authentication using direct tokens. It is also recommended to audit and restrict environment variables in build environments, including CI/CD pipelines and container build processes, to prevent unauthorized control.",
    "lang" : "en:us"
  },
  "csaw" : false
}