CVE-2024-24828

Name of the Vulnerable Software and Affected Versions pkg (affected versions not specified)

Description The issue arises from the pkg tool writing native code packages to a hardcoded directory, specifically /tmp/pkg/* on Unix systems, which is a shared directory for all users on the same local system. The package names within this directory are predictable and lack uniqueness, allowing an attacker with access to the same local system to replace genuine executables with malicious ones of the same name. A user may then unknowingly run the malicious executable. The pkg package is deprecated, and as a result, no patch will be provided for this issue. Users are advised to transition to actively maintained alternatives, such as investigating Node.js 21's support for single executable applications.

Recommendations To check if your executable built by pkg depends on native code and is vulnerable, run the executable and check if /tmp/pkg/ was created. Users should transition to actively maintained alternatives. Investigate Node.js 21’s support for single executable applications. Prioritize migrating to other packages that offer similar functionality with enhanced security. At the moment, there is no information about a newer version that contains a fix for this vulnerability.