Source: node-tmp Version: 0.2.5+dfsg+~0.2.6-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-tmp. CVE-2026-44705[0]: | tmp is a temporary file and directory creator for node.js. Prior to | 0.2.6, the tmp npm package contains a path traversal vulnerability | that allows escaping the intended temporary directory when untrusted | data flows into the prefix, postfix, or dir options. By embedding | traversal sequences (e.g., ../) or path separators in these | parameters, attackers can cause files to be created outside the | configured temporary base directory at attacker-controlled locations | with the privileges of the running process. This vulnerability | affects applications that pass user-controlled data to tmp's | file/directory creation functions without proper input sanitization. | This vulnerability is fixed in 0.2.6. Note that the 0.2.6 upstream introduced CVE-2026-49982, so when fixing this issue make sure to not open up the later one and make the fixes complete. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44705 https://www.cve.org/CVERecord?id=CVE-2026-44705 [1] https://github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
