CVE-2026-44705

NameCVE-2026-44705
Descriptiontmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1139827

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-tmp (PTS)bullseye0.2.1+dfsg-1vulnerable
bullseye (security)0.2.1+dfsg-1+deb11u1vulnerable
bookworm0.2.2+dfsg+~0.2.3-1.1~deb12u1vulnerable
trixie0.2.2+dfsg+~0.2.3-1.1~deb13u1vulnerable
forky, sid0.2.5+dfsg+~0.2.6-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-tmpsource(unstable)(unfixed)1139827

Notes

https://github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65
Fixed by: https://github.com/raszi/node-tmp/commit/efa4a06f24374797ae32ab2b6ae39b7a611ae429 (v0.2.6)
When fixing this issue make sure to fix it completely to not open up CVE-2026-49982
Search for package or bug name: Reporting problems