CVE-2026-44705
HighCVSS 8.2Exploitation Probability (EPSS)
Low risk38th percentile - higher than 38% of all known CVEs
Summary
The tmp package for node.js prior to version 0.2.6 contained a path traversal vulnerability that allowed escaping the intended temporary directory. Attackers could exploit traversal sequences or path separators to create files in attacker-controlled locations.
Risk Assessment
Organizations may be exposed to unauthorized access to the file system, potentially leading to data leaks or malware. Applications that do not sanitize input data are particularly at risk.
Recommendation
It is recommended to update the tmp package to version 0.2.6 or later and to implement proper input sanitization mechanisms in applications using this package.
Original NVD description (English source)
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.

