CVE-2024-47829: 
JavaScript vulnerability analysis and mitigation

pnpm is a package manager that contains a vulnerability in versions prior to 10.0.0 where the path shortening function uses MD5 for compression. The vulnerability was discovered and disclosed on April 23, 2025, affecting all versions before 10.0.0. The issue involves the path shortening function using MD5 as a compression function, which can result in path collisions for different libraries (GitHub Advisory).

The vulnerability stems from using MD5 in the depPathToFilename function for path shortening. When package names plus version numbers exceed 120 characters, the function creates shortened paths using MD5 hashing. If a collision occurs, two different libraries can end up with the same storage path. Although the real names are maintained under /node_modules/, there are no version numbers for referenced libraries. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L and is classified as CWE-328 (Use of Weak Hash) (GitHub Advisory, NVD).

When a collision occurs, two different libraries will share the same storage path, leading to potential package version conflicts. In cases where packages reference another package C with different versions, the actual version used will depend on the installation order. This can result in packages using incorrect versions of dependencies without raising installation errors, potentially leading to the use of vulnerable versions (GitHub Advisory).

The vulnerability has been patched in version 10.0.0 by upgrading the hash function from MD5 to SHA256. Users should upgrade to version 10.0.0 or later to address this security issue (GitHub Advisory).