Use of Weak Hash

CVE-2024-47829

Medium

6.5/10

Summary

The pnpm is a package manager. In versions prior to 10.0.0-alpha.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name `/node_modoules/`, there are no version numbers for the libraries they refer to.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: LOW

CWE-328 - Use of Weak Hash

The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).

References

Advisory Timeline

Published Apr 23, 2025

Use of Weak Hash

CVE-2024-47829

Summary

CWE-328 - Use of Weak Hash

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS