[From nobody Wed Jun 24 10:07:06 2026
Received: (at submit) by bugs.debian.org; 12 Jun 2026 15:12:00 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.9 required=4.0 tests=BAYES_00, FOURLA,
 FROMDEVELOPER, 
 NO_RELAYS,XMAILER_REPORTBUG autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 22; hammy, 149; neutral, 62; spammy,
 1. spammytokens:0.941-+--H*r:bugs.debian.org
 hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc,
 0.000-+--X-Debbugs-Cc, 0.000-+--HTo:N*Debian, 0.000-+--H*Ad:N*Bug
Return-path: &lt;carnil@debian.org&gt;
Received: via submission by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from &lt;carnil@debian.org&gt;) id 1wY3Y7-003hp5-2A
 for submit@bugs.debian.org; Fri, 12 Jun 2026 15:12:00 +0000
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Salvatore Bonaccorso &lt;carnil@debian.org&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: node-tmp: CVE-2026-44705
Message-ID: &lt;178127711763.3842822.10297338807562832365.reportbug@eldamar.lan&gt;
X-Mailer: reportbug 13.2.0
Date: Fri, 12 Jun 2026 17:11:57 +0200
Delivered-To: submit@bugs.debian.org

Source: node-tmp
Version: 0.2.5+dfsg+~0.2.6-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team &lt;team@security.debian.org&gt;

Hi,

The following vulnerability was published for node-tmp.

CVE-2026-44705[0]:
| tmp is a temporary file and directory creator for node.js. Prior to
| 0.2.6, the tmp npm package contains a path traversal vulnerability
| that allows escaping the intended temporary directory when untrusted
| data flows into the prefix, postfix, or dir options. By embedding
| traversal sequences (e.g., ../) or path separators in these
| parameters, attackers can cause files to be created outside the
| configured temporary base directory at attacker-controlled locations
| with the privileges of the running process. This vulnerability
| affects applications that pass user-controlled data to tmp's
| file/directory creation functions without proper input sanitization.
| This vulnerability is fixed in 0.2.6.

Note that the 0.2.6 upstream introduced CVE-2026-49982, so when fixing
this issue make sure to not open up the later one and make the fixes
complete.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities &amp; Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-44705
    https://www.cve.org/CVERecord?id=CVE-2026-44705
[1] https://github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore
]