Moderate severityNVD Advisory· Published Apr 23, 2025· Updated Apr 23, 2025
pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
CVE-2024-47829
Description
pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to. This issue has been patched in version 10.0.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pnpmnpm | < 10.0.0 | 10.0.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8cc4-rfj6-fhg4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47829ghsaADVISORY
- github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.