[CVE-2025-69264]pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

[CVE-2025-69264]pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default" Summary A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. Details pnpm v10 introduced a security feature to disable dependency lifecycle scripts by default (PR #8897). This is implemented by setting onlyBuiltDependencies = [] when no build policy is configured: Impact Severity: High Who is impacted: All pnpm v10+ users Users who believed they were protected by the v10 "scripts disabled by default" feature CI/CD pipelines Attack scenarios: Supply chain attack: An attacker compromises a dependency, adding to it a malicious git dependency that executes arbitrary code during pnpm install What an attacker can do: Execute arbitrary code with the victim's privileges Exfiltrate environment variables, secrets, and credentials Modify source code or inject backdoors Establish persistence or reverse shells Access the filesystem and network