CVE-2025-54798

NameCVE-2025-54798
Descriptiontmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4268-1
Debian Bugs1110532

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-tmp (PTS)bullseye0.2.1+dfsg-1vulnerable
bullseye (security)0.2.1+dfsg-1+deb11u1fixed
bookworm0.2.2+dfsg+~0.2.3-1.1~deb12u1fixed
trixie0.2.2+dfsg+~0.2.3-1.1~deb13u1fixed
forky, sid0.2.2+dfsg+~0.2.3-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-tmpsourcebullseye0.2.1+dfsg-1+deb11u1DLA-4268-1
node-tmpsourcebookworm0.2.2+dfsg+~0.2.3-1.1~deb12u1
node-tmpsourcetrixie0.2.2+dfsg+~0.2.3-1.1~deb13u1
node-tmpsource(unstable)0.2.2+dfsg+~0.2.3-1.11110532

Notes

https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6
https://github.com/raszi/node-tmp/issues/207
https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b (v0.2.4)

Search for package or bug name: Reporting problems