CVE-2024-24828 – Local Privilege Escalation in execuatables bundled by pkg

https://notcve.org/view.php?id=CVE-2024-24828

pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. • https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54 https://nodejs.org/api/single-executable-applications.html • CWE-276: Incorrect Default Permissions •