The vulnerability allows attackers to inject path traversal sequences such as "../" or path separators into the prefix, postfix, or dir options of the tmp package. This flaw results in files or directories being created outside the intended temporary base directory at locations controlled by the attacker. Because the files are written with the privileges of the running process, an attacker can overwrite critical system files, expose sensitive data, or potentially use the created files to facilitate further attacks such as code injection or privilege escalation. The weakness originates from improper validation of user-supplied path components and is classified as CWE‑22.

The affected product is the node-tmp library authored by raszi, with all versions prior to 0.2.6 vulnerable. Applications built on Node.js that rely on these older versions and pass untrusted data to tmp’s file/directory creation functions are at risk. Any deployment that uses node-tmp without upgrading to the fixed version is susceptible.

The CVSS score of 7.7 marks this flaw as high severity, indicating substantial impact if exploited. The EPSS score is not available, but the absence from the CISA KEV catalog suggests exploiting this vulnerability is not yet widely reported. Based on the description, it is inferred that the likely attack vector is via untrusted user input supplied to the tmp functions, often in web application contexts. Attackers would need the ability to supply malicious input to the tmp functions, which is often possible in web applications or services that generate temporary files based on user data. If successfully exploited, the attacker could create arbitrary files in any directory reachable by the node process, effectively bypassing intended sandboxing and potentially leading to further compromise.