CVSS 3.1 Score 7.8 of 10 (high)


Published Feb 9, 2024
Updated: Feb 16, 2024
CWE ID 276


CVE-2024-24828 is a vulnerability affecting the pkg tool, which is used to bundle Node.js projects into executables. The vulnerability arises from the fact that the native code packages built by pkg are written to a shared directory (/tmp/pkg/*) on Unix systems, without any uniqueness to the package names. This allows an attacker who has access to the same local system to replace genuine executables in this shared directory with malicious ones of the same name. Consequently, a user may unknowingly run these modified executables. Since this package is deprecated, there will be no patch provided for this vulnerability. Users are advised to transition to actively maintained alternatives like Node.js 21's support for single executable applications. The vulnerability has a high base severity score of 7.8 and poses a potential danger to organizations as it can lead to unauthorized code execution and compromise system integrity and confidentiality.

Note: The provided summary is based on the given information without any additional external sources.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-24828 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options