Creation of Temporary File in Directory with Insecure Permissions Affecting pkg package, versions *


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Creation of Temporary File in Directory with Insecure Permissions vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-PKG-6241720
  • published13 Feb 2024
  • disclosed10 Feb 2024
  • creditTomi Belan

Introduced: 10 Feb 2024

CVE-2024-24828  (opens in a new tab)
CWE-379  (opens in a new tab)

How to fix?

There is no fixed version for pkg.

Overview

pkg is a command line interface that enables packaging a Node.js project into an executable

Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions in /tmp/pkg/, which is the hardcoded location for all included packages. A user with write access to that shared directory can replace packages and have them unknowingly executed by other users.

Note: pkg is deprecated so no fix is expected for this issue. However, the maintainers "recommend investigating Node.js 21’s support for single executable applications".

References

CVSS Scores

version 3.1