CVE-2026-49982
Received Received - Intake
Path Traversal in tmp Node.js Library

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-49982
EUVD
EUVD-2026-36265
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
raszi tmp to 0.2.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to create files or directories outside the intended temporary directory with the host process's privileges by exploiting a path traversal bypass. This can lead to unauthorized file creation or modification on the host system.

Such unauthorized access and manipulation of files could potentially lead to violations of data protection regulations like GDPR or HIPAA if sensitive or personal data is exposed, altered, or destroyed as a result of the exploit.

Therefore, applications affected by this vulnerability that handle regulated data and forward untrusted input to the vulnerable functions without proper validation may face compliance risks under these standards.

Executive Summary

The vulnerability in tmp version 0.2.6 arises from a type confusion in the _assertPath function, which is intended to prevent path traversal attacks by rejecting string values containing '..'. However, when non-string values such as arrays, buffers, or objects are passed as prefix, postfix, or template options, the check is bypassed because these types do not properly trigger the substring check.

This bypass allows attackers to manipulate the path construction process, causing the creation of files or directories outside the intended temporary directory. This happens because the non-string inputs are coerced into strings containing '../' sequences during path joining, escaping the tmp directory and enabling arbitrary file or directory creation with the host process's privileges.

The vulnerability is exploitable when untrusted request data, such as JSON body fields or specially formatted query strings, are forwarded directly to tmp functions without explicit type validation.

Impact Analysis

This vulnerability can lead to arbitrary file and directory creation outside the intended temporary directory, potentially allowing attackers to write files to sensitive locations on the host system.

Because the files or directories are created with the privileges of the host process, this can result in unauthorized modification or creation of system files, which may compromise system integrity.

In multi-tenant environments or continuous integration/build systems, this could enable cross-tenant access or unauthorized writes to critical directories such as /etc.

Detection Guidance

This vulnerability can be detected by monitoring for usage of the tmp package version 0.2.6 where untrusted input is passed as non-string values (such as arrays or objects) to the prefix, postfix, or template options of tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync functions.

Detection can involve inspecting logs or network traffic for JSON request bodies or query strings that include array-formatted or object-formatted values containing path traversal sequences like '../'. For example, look for requests with parameters such as prefix[]=../escape.

Since the vulnerability involves path traversal via type confusion, commands to detect suspicious file or directory creation outside the expected temporary directory can be used. For example, on a Unix-like system, you can run:

  • find /tmp -type f -mtime -1 -exec ls -l {} \; # to find recently created files in /tmp
  • find / -path "*/../*" -type f 2>/dev/null # to find files with suspicious path traversal patterns

Additionally, monitoring for unexpected file creations outside the tmp directory, especially in sensitive locations like /etc, can help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade the tmp package to version 0.2.7 or later, where the vulnerability is fixed by adding explicit type checks in the _assertPath function.

If upgrading is not immediately possible, ensure that any input passed to tmp.file, tmp.dir, or related functions is explicitly coerced to strings and validated to prevent non-string values such as arrays or objects from being used as prefix, postfix, or template options.

Implement defense-in-depth by validating the final resolved temporary path after construction to ensure it remains within the intended temporary directory.

Also, review application code to avoid forwarding untrusted request data directly into tmp functions without sanitization or type validation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49982. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart