Predictable Package Names in pkg Lead to Security Risks
CVE-2024-24828

7.8HIGH

Key Information:

Vendor: vercel
Status: pkg
Vendor: CVE Published:; 9 February 2024

Summary

The pkg tool from Vercel, intended for bundling Node.js projects into executable files, exposes a vulnerability due to its use of a hardcoded directory on Unix systems, specifically /tmp/pkg/*. This shared directory lacks uniqueness for package names, making it predictable and susceptible to exploitation. If an attacker gains access to the local system, they can substitute legitimate executables with malicious ones of the same name, which users may unknowingly execute. The pkg tool is deprecated and will not receive patches for this vulnerability. Users are advised to check if their executables rely on native code and utilize the /tmp/pkg/ directory. Transitioning to actively maintained alternatives, such as Node.js 21’s single executable applications support, is strongly recommended for enhanced security.

Affected Version(s)

pkg <= 5.8.1

References

https://github.com/vercel/pkg/security/advisories/GHSA-22...

x_refsource_CONFIRM

https://nodejs.org/api/single-executable-applications.html

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 9, 2024
Vulnerability Reserved
Jan 31, 2024