CVE-2024-47829

Published: Apr 23, 2025Modified: Sep 19, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to. This issue has been patched in version 10.0.0.

Affected (1)

Products: Pnpm: Pnpm

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Pnpm Pnpm	Before 10.0.0

Related CWEs

Use of Weak Hash

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

References (1)

https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.