CVE-2024-47829

MEDIUM

pnpm < 10.0.0 - Use of Weak Hash via MD5 Path Shortening

Title source: llm

Description

pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to. This issue has been patched in version 10.0.0.

References (1)

Core 1

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4

Scores

CVSS v3 6.5

EPSS 0.0019

EPSS Percentile 8.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-328

Status published

Products (2)

npm/pnpm 0 - 10.0.0npm

pnpm/pnpm < 10.0.0

Published Apr 23, 2025

Tracked Since Feb 18, 2026