CVE-2024-47829 – This vulnerability in pnpm (package manager) us... (How to Fix)

📋 TL;DR

This vulnerability in pnpm (package manager) uses MD5 hashing for path shortening, which can cause collisions where two different libraries get stored in the same directory path. This affects developers and systems using pnpm versions before 10.0.0, potentially causing package corruption or unexpected behavior during installation.

💻 Affected Systems

Products:

pnpm

Versions: All versions before 10.0.0

Operating Systems: All platforms where pnpm runs (Linux, macOS, Windows)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects pnpm installations using the default storage mechanism. Projects using pnpm for package management are vulnerable during installation/update operations.

📦 What is this software?

Pnpm by Pnpm

View all CVEs affecting Pnpm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Package corruption leading to runtime errors, dependency confusion attacks where malicious packages overwrite legitimate ones, or broken builds causing application failures.

🟠

Likely Case

Intermittent installation failures, corrupted node_modules directories, or inconsistent package versions across environments.

🟢

If Mitigated

Minor installation issues that might be mistaken for network or cache problems, with no direct security compromise.

🌐 Internet-Facing: LOW - This primarily affects build/development environments rather than production services.

🏢 Internal Only: MEDIUM - Development and CI/CD pipelines could experience build failures or inconsistent package installations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH - Requires creating MD5 collisions with specific package names, which is computationally expensive.

Exploitation requires crafting package names that produce MD5 collisions, making practical attacks difficult but theoretically possible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.0

Vendor Advisory: https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4

Restart Required: No

Instructions:

1. Check current pnpm version: pnpm --version
2. Update pnpm globally: npm install -g pnpm@10.0.0
3. Verify update: pnpm --version
4. Clear pnpm store if experiencing issues: pnpm store prune

🔧 Temporary Workarounds

Use alternative package manager temporarily

all

Switch to npm or yarn for package management until pnpm can be updated.

npm install
yarn install

Manual package installation

all

Install critical packages directly without using pnpm's store mechanism.

npm install <package-name> --no-save

🧯 If You Can't Patch

Monitor build logs for package installation failures or corruption warnings
Implement checksum verification for critical dependencies in CI/CD pipelines

🔍 How to Verify

Check if Vulnerable:

Run: pnpm --version and check if version is less than 10.0.0

Check Version:

pnpm --version

Verify Fix Applied:

Run: pnpm --version and confirm version is 10.0.0 or higher

📡 Detection & Monitoring

Log Indicators:

Package installation failures
Hash collision warnings in pnpm logs
Unexpected package overwrites in node_modules

Network Indicators:

Repeated package downloads for same dependency
Unusual package resolution patterns

SIEM Query:

process.name="pnpm" AND (log_message:"collision" OR log_message:"hash" OR log_message:"corrupt")

📊 Metadata

CVE ID: CVE-2024-47829

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-328

EPSS Score: 0.07% exploit probability (20.4th percentile)

Published: April 23, 2025

Last Updated: September 19, 2025

🔗 References

https://github.com/pnpm/pnpm/security/advisories/GHSA-8cc4-rfj6-fhg4 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47829, you might also want to check these: