Two critical vulnerabilities (CVE-2025-69263, CVE-2025-69264) were discovered in pnpm 10.0.0–10.25. They allow lockfile integrity bypass and remote code execution, so immediate updates are required.
A summary of how to verify impact and the mitigation steps for the CVSS 10.0 React2Shell vulnerability (CVE-2025-55182 / CVE-2025-66478), plus additional DoS and source code exposure issues.
