Skip to content

CVE-2026-44705 (High) detected in tmp-0.0.33.tgz #164

Description

@mend-for-github-com

CVE-2026-44705 - High Severity Vulnerability

Vulnerable Library - tmp-0.0.33.tgz

Temporary file and directory creator

Library home page: https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tmp/package.json

Dependency Hierarchy:

  • lerna-3.2.1.tgz (Root Library)
    • clean-3.1.3.tgz
      • prompt-3.0.0.tgz
        • inquirer-5.2.0.tgz
          • external-editor-2.2.0.tgz
            • tmp-0.0.33.tgz (Vulnerable Library)

Found in HEAD commit: 540c99a1154755210d6564a50420589ebbf7f97c

Found in base branch: master

Vulnerability Details

tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.

Publish Date: 2026-06-11

URL: CVE-2026-44705

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-05-27

Fix Resolution: https://github.com/raszi/node-tmp.git - v0.2.6

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions