HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44705Published Modified CNA GitHub_M

CVE-2026-44705: tmp: Path Traversal via unsanitized prefix/postfix enables directory escape

tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.

Metrics

CVSS v4.0
7.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Path traversal vulnerability in the tmp npm package (raszi/node-tmp) allows an attacker to escape the intended temporary directory by injecting traversal sequences (such as ../) into the prefix, postfix, or dir options passed to tmp's file and directory creation functions. The vulnerability is reachable over the network with no authentication required, and affects any Node.js application that passes user-controlled input into these options without sanitizing it first. Successful exploitation lets the attacker write files to arbitrary locations on the host filesystem with the privileges of the running process. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-44705 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built Node.js images that bundle the tmp package. Any image containing a raszi/node-tmp version below 0.2.6 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 7.7 HIGH using the published CVSS v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the inbox or ticket queue configured for the relevant team inside each customer organization.

Available
Patch

Because no fix version has been published upstream yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment raszi/node-tmp ships a remediated release. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the vulnerable service over the network to supply malicious input to the tmp options.

  • AuthenticationNot required

    No account or credential is needed; the vulnerability is exploitable by any unauthenticated caller who can reach the service.

  • Victim interactionNot required

    No user action is required; the exploit is triggered entirely by the attacker supplying crafted input to the application.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, special memory layout, or other variable environmental factors.

Blast Radius

  • The attacker writes files to arbitrary locations outside the configured temporary directory, constrained only by the filesystem permissions of the running process.
  • In a containerized workload running as root or with broad write permissions, this enables overwriting configuration files, scripts, or other application assets on the host or shared volumes.
  • Confidentiality impact is high: because file paths are attacker-controlled, the attacker can place files where they will be read or executed by other processes, enabling indirect exfiltration or privilege escalation depending on application behavior.
  • Integrity of the host filesystem is at risk for any path the process user can write to, including application code directories if mounted with write access.

How HarborGuard Handles This

Available on HarborGuard: images containing raszi/node-tmp below 0.2.6 are flagged as soon as they appear in a customer registry or CI pipeline scan. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once version 0.2.6 or later is published. In the meantime, compensating controls available to HarborGuard customers include network-policy isolation to restrict which callers can reach the affected service, and policy rules that flag any deployment passing unsanitized external input to tmp options. For customers with auto-remediation enabled, the patched rebuild will trigger a regression test run and a PR opened against affected workloads the moment the upstream fix lands, with no manual steps required.

See how HarborGuard automates this
Affected packages
  • raszi / node-tmp
    < 0.2.6
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
References