CVE-2024-47829

pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to. This issue has been patched in version 10.0.0.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4	Vendor Advisory Exploit

Configurations

Configuration 1 (hide)

cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:*:node.js:*

History

19 Sep 2025, 20:08

Type	Values Removed	Values Added
References	~~() https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4 -~~	() https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4 - Vendor Advisory, Exploit
CPE		cpe:2.3:a:pnpm:pnpm:::::::node.js:*
First Time		Pnpm pnpm Pnpm

29 Apr 2025, 13:52

Type	Values Removed	Values Added
Summary		(es) pnpm es un gestor de paquetes. Antes de la versión 10.0.0, la función de acortamiento de rutas utilizaba la función md5 como función de compresión de acortamiento de rutas, y si se producía una colisión, se obtenía la misma ruta de almacenamiento para dos librerías diferentes. Aunque los nombres reales se encuentran bajo el nombre del paquete /node_modoules/, no hay números de versión para las librerías a las que hacen referencia. Este problema se ha corregido en la versión 10.0.0.

23 Apr 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-23 16:15

Updated : 2025-09-19 20:08

NVD link : CVE-2024-47829

Mitre link : CVE-2024-47829

CVE.ORG link : CVE-2024-47829

JSON object : View

Products Affected

pnpm

pnpm

CWE

CWE-328

Use of Weak Hash

{"id": "CVE-2024-47829", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.7, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2025-04-23T16:15:29.910", "references": [{"url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-328"}]}], "descriptions": [{"lang": "en", "value": "pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to. This issue has been patched in version 10.0.0."}, {"lang": "es", "value": "pnpm es un gestor de paquetes. Antes de la versi\u00f3n 10.0.0, la funci\u00f3n de acortamiento de rutas utilizaba la funci\u00f3n md5 como funci\u00f3n de compresi\u00f3n de acortamiento de rutas, y si se produc\u00eda una colisi\u00f3n, se obten\u00eda la misma ruta de almacenamiento para dos librer\u00edas diferentes. Aunque los nombres reales se encuentran bajo el nombre del paquete /node_modoules/, no hay n\u00fameros de versi\u00f3n para las librer\u00edas a las que hacen referencia. Este problema se ha corregido en la versi\u00f3n 10.0.0."}], "lastModified": "2025-09-19T20:08:55.927", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pnpm:pnpm:*:*:*:*:*:*:node.js:*", "vulnerable": true, "matchCriteriaId": "89AB81FD-3362-4C6A-AB71-9996BB1C31C2", "versionEndExcluding": "10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}