HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-49982Published Modified CNA GitHub_M

CVE-2026-49982: tmp: Type-confusion bypass of _assertPath in tmp@0.2.6 allows path traversal via non-string prefix/postfix/template

tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7.

Metrics

CVSS v3.1
8.2
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A type-confusion path-traversal vulnerability exists in the tmp package (node-tmp) version 0.2.6, a temporary file and directory utility for Node.js. The flaw is reachable over the network with no authentication required when an application forwards untrusted input directly into tmp's file or directory creation functions. Successful exploitation lets an attacker write files or create directories at arbitrary locations on the host filesystem, using the privileges of the running process. No fix version has been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built Node.js application images that bundle tmp@0.2.6 as a direct or transitive dependency.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.2 HIGH (v3.1) and weighting it against each environment's compliance policy to determine urgency; findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the maintainer ships a corrected release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the fix appears upstream.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerability is exposed over the network (AV:N): an attacker must be able to send HTTP requests (or other network input) to an application that passes untrusted fields into tmp functions.

  • AuthenticationNot required

    No credentials are needed (PR:N): any unauthenticated request carrying a crafted prefix, postfix, or template value is sufficient to trigger the bypass.

  • Victim interactionNot required

    No victim action is required (UI:N): the exploit completes server-side when the application processes the attacker's input, with no user click or navigation needed.

  • Attack complexityDetail

    Attack complexity is low (AC:L): no race conditions, memory-layout knowledge, or special environmental factors are required; the bypass is reliable and repeatable against any unpatched application that forwards unsanitized input to tmp.

Blast Radius

  • An attacker writes files or creates directories at arbitrary locations on the host filesystem, bounded only by the privileges of the Node.js process.
  • Sensitive locations such as cron directories, shell init files, or application configuration paths can be overwritten or seeded with attacker-controlled content.
  • Persistent backdoors or malicious scripts can be planted if any writable location is later executed or loaded by the process or the operating system.
  • Service availability is partially disrupted (A:L per CVSS): filling or corrupting filesystem paths can degrade normal application operation or cause partial failures.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all scanned environments that include node-tmp@0.2.6, covering both pulled registry images and images built in CI pipelines. Because no upstream patch exists yet, the recommended immediate compensating controls are: enforce strict input validation and explicit type coercion (String()) on any request field before it reaches tmp functions; apply network-policy isolation to services that use tmp so that untrusted external input cannot reach them directly; and consider feature-flag gating or removal of the tmp-dependent code path until a fix is available. HarborGuard monitors the raszi/node-tmp advisory on every ingest cycle. The instant version 0.2.7 or a later fix is published, a patched-image rebuild becomes available; for customers with auto-remediation enabled, a rebuilt image, regression test run, and a PR opened against affected workloads will follow automatically, with median time from CVE fix publication to merged patch PR for HIGH-severity issues around 90 minutes in auto-remediation-enabled environments.

See how HarborGuard automates this
Affected packages
  • raszi / node-tmp
    0.2.6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
References