Name | CVE-2025-54798 |
Description | tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-4268-1 |
Debian Bugs | 1110532 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
node-tmp (PTS) | bullseye | 0.2.1+dfsg-1 | vulnerable |
| bullseye (security) | 0.2.1+dfsg-1+deb11u1 | fixed |
| bookworm | 0.2.2+dfsg+~0.2.3-1.1~deb12u1 | fixed |
| trixie | 0.2.2+dfsg+~0.2.3-1.1~deb13u1 | fixed |
| forky, sid | 0.2.2+dfsg+~0.2.3-1.1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|
node-tmp | source | bullseye | 0.2.1+dfsg-1+deb11u1 | | DLA-4268-1 | |
node-tmp | source | bookworm | 0.2.2+dfsg+~0.2.3-1.1~deb12u1 | | | |
node-tmp | source | trixie | 0.2.2+dfsg+~0.2.3-1.1~deb13u1 | | | |
node-tmp | source | (unstable) | 0.2.2+dfsg+~0.2.3-1.1 | | | 1110532 |
Notes
https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6
https://github.com/raszi/node-tmp/issues/207
https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b (v0.2.4)