Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-379q-355j-w6rj

HIGH

pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

Also known asCVE-2025-69264
Published
Jan 7, 2026
Updated
Feb 3, 2026
Affected
1 pkg
Patched
1 / 1
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
0.8%probability of exploitation in next 30 days
Lower Risk52th percentile+0.64%
0.00%0.44%0.87%1.31%0.2%0.8%Feb 26May 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

1 pkg affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

pnpmnpm
114.3Mdownloads / week

Description

pnpm v10+ Git Dependency Script Execution Bypass

Summary

A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval.

Details

pnpm v10 introduced a security feature to disable dependency lifecycle scripts by default (PR #8897). This is implemented by setting onlyBuiltDependencies = [] when no build policy is configured:

File: pkg-manager/core/src/install/extendInstallOptions.ts (lines 290-291)

if (opts.neverBuiltDependencies == null && opts.onlyBuiltDependencies == null && opts.onlyBuiltDependenciesFile == null) {
  opts.onlyBuiltDependencies = []
}

This creates an allowlist that blocks all packages from running scripts during the BUILD phase in exec/build-modules/src/index.ts.

However, git-hosted dependencies are processed differently. During the FETCH phase, git packages are prepared using preparePackage():

File: exec/prepare-package/src/index.ts (lines 28-57)

export async function preparePackage (opts: PreparePackageOptions, gitRootDir: string, subDir: string) {
  // ...
  if (opts.ignoreScripts) return { shouldBeBuilt: true, pkgDir }  // Only checks ignoreScripts, not onlyBuiltDependencies

  const execOpts: RunLifecycleHookOptions = {
    // ...
    rawConfig: omit(['ignore-scripts'], opts.rawConfig),  // Explicitly removes ignore-scripts!
  }

  // Runs npm/pnpm install
  await runLifecycleHook(installScriptName, manifest, execOpts)

  // Runs prepare scripts
  for (const scriptName of PREPUBLISH_SCRIPTS) {  // ['prepublish', 'prepack', 'publish']
    await runLifecycleHook(newScriptName, manifest, execOpts)
  }
}

The ignoreScripts option defaults to false and is completely separate from onlyBuiltDependencies. The onlyBuiltDependencies allowlist is never consulted during the fetch phase.

Affected scripts that execute during fetch:

  • prepare
  • prepublish
  • prepack

Attack vectors:

  • git+https://github.com/attacker/malicious.git
  • github:attacker/malicious
  • gitlab:attacker/malicious
  • bitbucket:attacker/malicious
  • git+ssh://[email protected]/attacker/malicious.git
  • git+file:///path/to/local/repo

PoC

Prerequisites:

  • pnpm v10.0.0 or later (tested on v10.23.0 and v11.0.0-alpha.1)
  • git

Steps to reproduce:

  1. Extract the attached poc.zip

  2. Run the PoC script:

    cd poc
chmod +x run-poc.sh
./run-poc.sh

  3. Verify the marker file was created by the malicious script:

    cat /tmp/pnpm-vuln-poc-marker.txt

Manual reproduction:

  1. Create a malicious package with a prepare script:

    {
  "name": "malicious-pkg",
  "version": "1.0.0",
  "scripts": {
    "prepare": "node -e \"require('fs').writeFileSync('/tmp/pwned.txt', 'RCE!')\""
  }
}

  2. Initialize it as a git repo and commit the files

  3. Create a victim project that depends on it (just have to make sure it actually git clones and not just downloads a tarball):

    {
  "dependencies": {
    "malicious-pkg": "git+file:///path/to/malicious-pkg"
  }
}

  4. Run pnpm install - the prepare script executes without any warning or approval prompt

Impact

Severity: High

Who is impacted:

  • All pnpm v10+ users
  • Users who believed they were protected by the v10 "scripts disabled by default" feature
  • CI/CD pipelines

Attack scenarios:

  1. Supply chain attack: An attacker compromises a dependency, adding to it a malicious git dependency that executes arbitrary code during pnpm install

What an attacker can do:

  • Execute arbitrary code with the victim's privileges
  • Exfiltrate environment variables, secrets, and credentials
  • Modify source code or inject backdoors
  • Establish persistence or reverse shells
  • Access the filesystem and network

Why this bypasses security expectations:

  • pnpm v10 changelog explicitly states "Lifecycle scripts of dependencies are not executed during installation by default"
  • Users expect git dependencies to follow the same security model as npm registry packages
  • There is no warning that git dependencies are treated differently
  • The onlyBuiltDependencies configuration does not affect git dependencies

Affected Packages

1 total 1 fixed
EcosystemPackageVulnerable rangeFix
📦npmpnpm10.0.0&&< 10.26.010.26.0

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for pnpm. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update pnpm to 10.26.0 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-379q-355j-w6rj is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-379q-355j-w6rj is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-379q-355j-w6rj. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

# pnpm v10+ Git Dependency Script Execution Bypass ### Summary A security bypass vulnerability in pnpm v10+ allows git-hosted dependencies to execute arbitrary code during `pnpm install`, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks `postinstall` scripts via the `onlyBuiltDependencies` mechanism, git dependencies can still execute `prepare`, `prepublish`, and `prepack` scripts during the fetch phase, enabling remote code execution without user consent or approval. ### Details pnpm v10 introduced a security featur
O3 Security · Impact-Aware SCA

Is GHSA-379q-355j-w6rj in your dependencies?

O3 detects GHSA-379q-355j-w6rj across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works