CVE-2024-24828

Summary

CVE-2024-24828 is a vulnerability affecting the `pkg` tool, which is used to bundle Node.js projects into executables. The vulnerability arises from the fact that the native code packages built by `pkg` are written to a shared directory (`/tmp/pkg/*`) on Unix systems, without any uniqueness to the package names. This allows an attacker who has access to the same local system to replace genuine executables in this shared directory with malicious ones of the same name. Consequently, a user may unknowingly run these modified executables. Since this package is deprecated, there will be no patch provided for this vulnerability. Users are advised to transition to actively maintained alternatives like Node.js 21's support for single executable applications. The vulnerability has a high base severity score of 7.8 and poses a potential danger to organizations as it can lead to unauthorized code execution and compromise system integrity and confidentiality. Note: The provided summary is based on the given information without any additional external sources.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.