Pkg Local Privilege Escalation [10] #171
Labels
No labels
blocked
documentation
duplicate
enhancement
good first issue
help wanted
invalid
needs criteria
needs estimate
needs tests
question
spike
type
admin
type
alert
type
bug
type
defect
type
dependencies
type
epic
type
investigation
type
story
wontfix
blocked
duplicate
needs criteria
needs designs
needs estimate
needs testing
question
type
admin
type
alert
type
bug
type
defect
type
dependencies
type
design
type
documentation
type
epic
type
incident
type
investigation
type
spike
type
story
won't fix
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: RabbitLabs/random-bunny#171
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Package: pkg (npm)
Affected versions: <= 5.8.1
Patched version: none
Impact
Any native code packages built by
pkg
are written to a hardcoded directory. On unix systems, this is/tmp/pkg/*
which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable.An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified.
Patches
This package is deprecated. Therefore, there will not be a patch provided for this vulnerability.
Recommended Action
To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if
/tmp/pkg/
was created.Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21’s support for single executable applications.
Workarounds
Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security.