Homepage
About Snyk

Creation of Temporary File in Directory with Insecure Permissions Affecting pkg package, versions *

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-PKG-6241720
  • published 13 Feb 2024
  • disclosed 10 Feb 2024
  • credit Tomi Belan
Report a new vulnerability Found a mistake?

Introduced: 10 Feb 2024

CVE-2024-24828 Open this link in a new tab
CWE-379 Open this link in a new tab

How to fix?

There is no fixed version for pkg.

Overview

pkg is a command line interface that enables packaging a Node.js project into an executable

Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions in /tmp/pkg/, which is the hardcoded location for all included packages. A user with write access to that shared directory can replace packages and have them unknowingly executed by other users.

Note: pkg is deprecated so no fix is expected for this issue. However, the maintainers "recommend investigating Node.js 21’s support for single executable applications".

References

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.1 high
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    Required
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    None
Expand this section

NVD

7.8 high