Skip to main content

node-tmp EUVD-2026-36265

| CVE-2026-49982 HIGH
Improper Input Validation (CWE-20)
2026-06-11 GitHub_M GHSA-7c78-jf6q-g5cm
Authentication Bypass Node.js Node Tmp Suse
8.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
vuln.today AI
8.2 HIGH

Reachable over the network with no auth or interaction when an app forwards request data into tmp options; arbitrary file/dir creation gives high integrity and low availability impact, no direct confidentiality loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
SUSE
6.1 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 11, 2026 - 17:15 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 316 npm packages depend on tmp (9 direct, 307 indirect)

Ecosystem-wide dependent count for version 0.2.6.

DescriptionCVE.org

tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7.

Articles & Coverage 2

News 3 New Node.js Vulnerabilities - 3 High Severity Jun 12, 2026 News 3 New Node.js Vulnerabilities - 3 High Severity Jun 11, 2026

AnalysisAI

Path traversal in node-tmp 0.2.6 allows remote attackers to create files or directories outside the temp directory by supplying non-string prefix, postfix, or template values (arrays, Buffers, or objects) whose includes('..') check returns falsy but whose string coercion contains ../. The 0.2.6 _assertPath guard checks only strings, so JSON body fields or qs-parsed bracket arrays such as ?prefix[]=.. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Node.js endpoint forwarding input to tmp
Delivery
Send JSON or qs bracket-array prefix payload
Exploit
Bypass _assertPath via non-string includes check
Execution
String coercion yields ../ path in _generateTmpName
Persist
path.join resolves outside tmpdir
Impact
Write attacker-controlled file or directory with process privileges
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) an application using `tmp` at exactly the 0.2.6 release, (2) that application passing untrusted input from a request into the `prefix`, `postfix`, or `template` option of `tmp.file`, `tmp.fileSync`, `tmp.dir`, `tmp.dirSync`, `tmp.tmpName`, or `tmp.tmpNameSync` without forcing a string type (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) reflects a network-reachable, no-auth, no-interaction bug with high integrity impact (arbitrary file/dir creation) and low availability impact, and that vector aligns with the description's typical exposure path (untrusted JSON or `qs` bracket-array input flowing into `tmp.*` APIs). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a request such as `POST /upload` with a JSON body `{"prefix": ["..", "..", "etc", "cron.d", "evil"]}` (or the query string `?prefix[]=..&prefix[]=..&prefix[]=etc&prefix[]=cron.d&prefix[]=evil` against an app using `qs` bracket parsing) to a Node.js service that forwards request fields into `tmp.file({ prefix: req.body.prefix })`. The 0.2.6 `_assertPath` guard sees an array, `.includes('..')` returns false, and `path.join` later resolves the joined string to a location outside the temp directory, creating an attacker-named file or directory with the service's privileges. …
Remediation Vendor-released patch: upgrade `tmp` to 0.2.7 or later (`npm install tmp@^0.2.7`) and refresh `package-lock.json` / `yarn.lock`; also audit transitive dependencies with `npm ls tmp` and force-resolve via `overrides` (npm) or `resolutions` (Yarn/pnpm) where older versions are pinned by indirect deps - see GHSA-7c78-jf6q-g5cm at https://github.com/raszi/node-tmp/security/advisories/GHSA-7c78-jf6q-g5cm. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all applications using node-tmp 0.2.6; classify exposure level by network accessibility and trust boundaries. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53633 CRITICAL
9.8 Jun 15

Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
CVE-2026-48714 CRITICAL
9.1 Jun 15

Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
CVE-2026-53609 CRITICAL
9.1 Jun 12

Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
CVE-2026-48054 HIGH
8.8 Jun 11

Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
CVE-2026-53608 HIGH
8.7 Jun 12

Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 12 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Not-Affected

Share

EUVD-2026-36265 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy