PatchSiren cyber security CVE debrief

CVE-2026-49982 raszi CVE debrief

The tmp package for Node.js, version 0.2.6, is vulnerable to a directory traversal attack. The _assertPath guard in tmp rejects string values containing the substring '..', but can be bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or object) whose stringification still contains '../'. This allows attackers to create files or directories at arbitrary locations with the host process's privileges. The vulnerability affects applications that forward untrusted request data into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion.

Vendor: raszi
Product: node-tmp
CVSS: HIGH 8.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-11
Original CVE updated: 2026-06-11
Advisory published: 2026-06-11
Advisory updated: 2026-06-11

Who should care

Developers and administrators of applications using the tmp package, especially those that handle untrusted user input, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The tmp package for Node.js, version 0.2.6, has a vulnerability that allows attackers to create files or directories at arbitrary locations. The vulnerability is caused by the _assertPath guard in tmp, which rejects string values containing the substring '..', but can be bypassed when prefix, postfix, or template is supplied as a non-string value.

Defensive priority

HIGH

Recommended defensive actions

Upgrade to version 0.2.7 or later of the tmp package.
Ensure explicit type coercion when passing user input to tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync.

Evidence notes

This vulnerability has a CVSS score of 8.2 and is classified as HIGH severity.

Official resources

CVE-2026-49982 was published on 2026-06-11T17:16:35.227Z and modified on 2026-06-11T20:59:17.743Z.