CVE-2024-24828: 
JavaScript vulnerability analysis and mitigation

pkg is a tool designed to bundle Node.js projects into executables. The vulnerability (CVE-2024-24828) affects versions up to and including 5.8.1, where native code packages built by pkg are written to a hardcoded directory /tmp/pkg/* on Unix systems, which is a shared directory for all users on the same local system (Vendor Advisory).

The vulnerability stems from the lack of uniqueness in package names within the /tmp/pkg/* directory, making them predictable. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) by NVD with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements but high impact potential (NVD).

An attacker with access to the same local system can replace genuine executables in the shared directory with malicious executables of the same name. Users may then unknowingly execute these malicious executables, potentially leading to unauthorized code execution (Vendor Advisory).

The package has been deprecated, and no patch will be provided for this vulnerability. Users are advised to check if their executable depends on native code by running it and checking if /tmp/pkg/ was created. The recommended action is to transition to actively maintained alternatives, such as Node.js 21's support for single executable applications (Vendor Advisory, Node.js SEA).