CVE-2026-49982

Source
https://cve.org/CVERecord?id=CVE-2026-49982
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49982.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49982
Aliases
Downstream
Related
Published
2026-06-11T15:45:00.685Z
Modified
2026-07-08T08:09:43.199657542Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L CVSS Calculator
Summary
tmp: Type-confusion bypass of _assertPath in tmp@0.2.6 allows path traversal via non-string prefix/postfix/template
Details

tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49982.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20",
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/raszi/node-tmp

Affected ranges

Type
GIT
Repo
https://github.com/raszi/node-tmp
Events
Database specific
{
    "cpe": "cpe:2.3:a:raszi:tmp:0.2.6:*:*:*:*:node.js:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_STRING"
    ],
    "extracted_events": [
        {
            "introduced": "0.2.6"
        },
        {
            "last_affected": "0.2.6"
        }
    ]
}

Affected versions

0.*
0.2.6
v0.*
v0.2.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49982.json"