CVE-2024-24828

CVSS 3.1 Score 7.8 of 10 (high)

Details

Published Feb 9, 2024

Updated: Feb 16, 2024

CWE ID 276

Summary

CVE-2024-24828 affects the pkg tool, which is used to bundle Node.js projects into executables. The vulnerability lies in the fact that any native code packages built by pkg are written to a hardcoded shared directory on Unix systems, making it easy for an attacker to replace genuine executables with malicious ones. Since the pkg package is deprecated, there will be no patch provided for this vulnerability. Users should check if their executables depend on native code and are vulnerable by looking for the creation of the `/tmp/pkg/` directory. It is recommended to transition to actively maintained alternatives and investigate Node.js 21's support for single executable applications. No official workarounds or remediations are provided by the team, and users should prioritize migration to other packages.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Vendors

Vercel Inc.

Advisories, Assessments, and Mitigations

Back to Vulnerability Database

Platform Features

Products

Use Cases

Teams

Industries

Services

Russia-Aligned TAG-110 Targets Tajikistan with Macro-Enabled Word Documents

Measuring the US-China AI Gap

TerraStealerV2 and TerraLogger: Golden Chickens' New Malware Families Discovered

Know What Matters

For Customers

For Partners