Description
tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7.
Published: 2026-06-11
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

tmp, a temporary file and directory generator for node.js, uses a guard called _assertPath to reject unsafe names. In version 0.2.6 the guard only checks for the substring ".." in string values. The check can be bypassed when the prefix, postfix or template options are supplied as non-string objects such as arrays, buffers or custom objects whose includes('..') method returns falsy but whose stringification still contains "../". The resulting path is assembled via path.join and can escape the intended temporary directory, allowing an attacker to create or overwrite files or directories at arbitrary locations with the host process's privileges. This elevates to arbitrary file creation or modification and therefore potential remote code execution if the created file is later executable or includes attacker-controlled logic. The weakness is a classic type confusion (CWE-20) combined with improper path traversal validation (CWE-22).

Affected Systems

The vulnerability is present in the node-tmp package from the raszi vendor. Any installation of version 0.2.6 that relies on the API functions tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync and accepts untrusted input for the options prefix, postfix or template is impacted. The fix is available in version 0.2.7.

Risk and Exploitability

The CVSS score is 8.2, indicating high severity. No EPSS data is available, suggesting that exploitation likelihood has not been quantified but the lack of public reports means the threat is not yet proven. The vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw by sending crafted payloads through HTTP request bodies or query strings that provide non-string values for the prefix, postfix or template fields; these values bypass the guard and allow path traversal. With the host process running under elevated privileges, an attacker could place malicious files in protected directories, leading to code execution or privilege escalation.

Generated by OpenCVE AI on June 11, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the node‑tmp package to version 0.2.7 or newer where the guard has been corrected.
  • Validate any prefix, postfix or template values supplied from external input to ensure they are plain strings that do not contain "../" before passing them to tmp.
  • Reject or sanitize array or object values for these options, or coerce them to strings after strict validation.

Generated by OpenCVE AI on June 11, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Raszi
Raszi node-tmp
Vendors & Products Raszi
Raszi node-tmp

Thu, 11 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7.
Title tmp: Type-confusion bypass of _assertPath in tmp@0.2.6 allows path traversal via non-string prefix/postfix/template
Weaknesses CWE-20
CWE-22
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Raszi Node-tmp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-11T18:24:22.459Z

Reserved: 2026-06-02T18:30:51.282Z

Link: CVE-2026-49982

cve-icon Vulnrichment

Updated: 2026-06-11T18:24:08.617Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-11T17:16:35.227

Modified: 2026-06-11T20:59:17.743

Link: CVE-2026-49982

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T20:45:10Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')