CVE-2025-54798

Description

tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected products

raszi / node-tmp< 0.2.4 – < 0.2.4

References

VENDOR_ADVISORYhttps://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6
MISChttps://github.com/raszi/node-tmp/issues/207
PATCHhttps://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b