CVE-2026-49982

Name	CVE-2026-49982
Description	tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
node-tmp (PTS)	bullseye	0.2.1+dfsg-1	fixed
	bullseye (security)	0.2.1+dfsg-1+deb11u1	fixed
	bookworm	0.2.2+dfsg+~0.2.3-1.1~deb12u1	fixed
	trixie	0.2.2+dfsg+~0.2.3-1.1~deb13u1	fixed
	forky, sid	0.2.5+dfsg+~0.2.6-2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
node-tmp	source	(unstable)	(not affected)

Notes

- node-tmp <not-affected> (Fix for CVE-2026-44705 not applied)
https://github.com/raszi/node-tmp/security/advisories/GHSA-7c78-jf6q-g5cm
Fixed by: https://github.com/raszi/node-tmp/commit/8f24f788a356b5d45c9bec894632bd4931338153 (v0.2.7)