What is the severity of CVE-2024-47829?

CVE-2024-47829 has a medium severity rating due to its potential impact on filename handling in pnpm.

How do I fix CVE-2024-47829?

To fix CVE-2024-47829, update pnpm to version 10.0.0 or later.

What software is affected by CVE-2024-47829?

CVE-2024-47829 affects the pnpm package management tool.

What does CVE-2024-47829 exploit?

CVE-2024-47829 exploits issues in the path shortening function that can lead to improper filename handling.

Is CVE-2024-47829 a common vulnerability?

While CVE-2024-47829 may not be among the most common vulnerabilities, it still poses a risk to projects using affected versions of pnpm.

Vulnerability/
CVE-2024-47829

medium

6.5

CWE

328

23/4/2025

CVE-2024-47829: pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting

First published: Wed Apr 23 2025(Updated: )

pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to. This issue has been patched in version 10.0.0.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
npm/pnpm	<10.0.0	10.0.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-47829?
CVE-2024-47829 has a medium severity rating due to its potential impact on filename handling in pnpm.
How do I fix CVE-2024-47829?
To fix CVE-2024-47829, update pnpm to version 10.0.0 or later.
What software is affected by CVE-2024-47829?
CVE-2024-47829 affects the pnpm package management tool.
What does CVE-2024-47829 exploit?
CVE-2024-47829 exploits issues in the path shortening function that can lead to improper filename handling.
Is CVE-2024-47829 a common vulnerability?
While CVE-2024-47829 may not be among the most common vulnerabilities, it still poses a risk to projects using affected versions of pnpm.

agent/references
agent/weakness
agent/softwarecombine
agent/first-publish-date
collector/mitre-cve
source/MITRE
agent/title
agent/type
agent/description
collector/nvd-api
source/NVD
agent/last-modified-date
agent/severity
agent/source
agent/author
agent/event
agent/tags
collector/nvd-cve
collector/github-advisory-latest
source/GitHub
alias/GHSA-8cc4-rfj6-fhg4
alias/CVE-2024-47829
agent/software-canonical-lookup
package-manager/npm

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.