[Pkg-javascript-devel] Bug#1139827: node-tmp: CVE-2026-44705
Salvatore Bonaccorso
carnil at debian.org
Fri Jun 12 16:11:57 BST 2026
Source: node-tmp
Version: 0.2.5+dfsg+~0.2.6-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-tmp.
CVE-2026-44705[0]:
| tmp is a temporary file and directory creator for node.js. Prior to
| 0.2.6, the tmp npm package contains a path traversal vulnerability
| that allows escaping the intended temporary directory when untrusted
| data flows into the prefix, postfix, or dir options. By embedding
| traversal sequences (e.g., ../) or path separators in these
| parameters, attackers can cause files to be created outside the
| configured temporary base directory at attacker-controlled locations
| with the privileges of the running process. This vulnerability
| affects applications that pass user-controlled data to tmp's
| file/directory creation functions without proper input sanitization.
| This vulnerability is fixed in 0.2.6.
Note that the 0.2.6 upstream introduced CVE-2026-49982, so when fixing
this issue make sure to not open up the later one and make the fixes
complete.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-44705
https://www.cve.org/CVERecord?id=CVE-2026-44705
[1] https://github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list