Path Shortening Vulnerability in pnpm Package Manager
CVE-2024-47829

6.5MEDIUM

Key Information:

Vendor: Pnpm
Status: Pnpm
Vendor: CVE Published:; 23 April 2025

What is CVE-2024-47829?

The pnpm package manager has a vulnerability related to its path shortening function, which employed the MD5 hashing algorithm. This implementation can lead to path collisions, meaning two different libraries could be assigned the same storage path, creating ambiguity and potential conflicts. Although the libraries are stored within the /node_modules/ directory under their package names, the lack of version numbers exacerbates the issue, potentially allowing different versions of libraries to overwrite each other without notice. This vulnerability has been addressed in version 10.0.0, which no longer uses MD5 for path compression, thereby enhancing storage unique identification.

Affected Version(s)

pnpm < 10.0.0

References

https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 23, 2025
Vulnerability Reserved
Oct 3, 2024

CVE-2024-47829 Data

JSON

Pnpm

What is CVE-2024-47829?

Affected Version(s)

References

CVSS V3.1

Timeline