Skip to main content

Node.js CVE-2025-54798

LOW
Improper Link Resolution Before File Access (CWE-59)
2025-08-07 security-advisories@github.com
Information Disclosure Node.js Tmp
2.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.5 LOW
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 19:05 vuln.today
Patch released
Mar 28, 2026 - 19:05 nvd
Patch available
PoC Detected
Nov 03, 2025 - 20:19 vuln.today
Public exploit code
CVE Published
Aug 07, 2025 - 01:15 nvd
LOW 2.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 118 npm packages depend on tmp (23 direct, 95 indirect)

Ecosystem-wide dependent count for version 0.2.4.

DescriptionGitHub Advisory

tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.

AnalysisAI

tmp is a temporary file and directory creator for node.js. Rated low severity (CVSS 2.5). Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-59. tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4. Affected products include: Raszi Tmp. Version information: version 0.2.4..

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More from same product – last 7 days

CVE-2026-53633 CRITICAL
9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
CVE-2026-48714 CRITICAL
9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
CVE-2026-53609 CRITICAL
9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
CVE-2026-48054 HIGH
8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
CVE-2026-53608 HIGH
8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Share

CVE-2025-54798 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy