CVE-2026-44705 - High Severity Vulnerability
Vulnerable Library - tmp-0.0.33.tgz
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tmp/package.json
Dependency Hierarchy:
- lerna-3.2.1.tgz (Root Library)
- clean-3.1.3.tgz
- prompt-3.0.0.tgz
- inquirer-5.2.0.tgz
- external-editor-2.2.0.tgz
- ❌ tmp-0.0.33.tgz (Vulnerable Library)
Found in HEAD commit: 540c99a1154755210d6564a50420589ebbf7f97c
Found in base branch: master
Vulnerability Details
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.
Publish Date: 2026-06-11
URL: CVE-2026-44705
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/raszi/node-tmp.git - v0.2.6
CVE-2026-44705 - High Severity Vulnerability
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tmp/package.json
Dependency Hierarchy:
Found in HEAD commit: 540c99a1154755210d6564a50420589ebbf7f97c
Found in base branch: master
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.
Publish Date: 2026-06-11
URL: CVE-2026-44705
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/raszi/node-tmp.git - v0.2.6