CVE Catalog

CVE-2026-49982

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.45%

35th percentile - higher than 35% of all known CVEs

Summary

In version 0.2.6 of the tmp library for node.js, there is a vulnerability that allows bypassing the _assertPath guard. This enables an attacker to create a file or directory in a location controlled by them, using incorrect type values that are not strings.

Risk Assessment

Organizations may be exposed to unauthorized access to the file system, potentially leading to data leaks or malicious software operating with the host process's privileges.

Recommendation

It is recommended to update the tmp library to version 0.2.7 and implement strict type checking for data passed to file and directory creation functions.

Original NVD description (English source)

tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS