EXECUTIVE SUMMARY:
CVE-2026-49982 with a CVSS score of 8.2 is a high-severity vulnerability in the tmp package, specifically affecting versions 0.2.6 and earlier, where the _assertPath guard can be bypassed by supplying a non-string value, such as an Array or Buffer, as a prefix, postfix, or template, allowing an attacker to perform a path traversal attack via a network-based attack vector, requiring no privileges or user interaction, and resulting in a high integrity impact, as the attacker can create files or directories at an arbitrary location with the host process's privileges, potentially leading to arbitrary file creation outside the intended temporary directory, directory creation outside the intended tree, and file content manipulation, which can have significant business consequences, including data corruption, unauthorized access, and system compromise, and this vulnerability can be exploited when an application forwards untrusted request data into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion, and the exploitation requires the attacker to have network access to the vulnerable application.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-49982 with a CVSS score of 8.2 is a high-severity vulnerability in the tmp package, specifically affecting versions 0.2.6 and earlier, where the _assertPath guard can be bypassed by supplying a non-string value, such as an Array or Buffer, as a prefix, postfix, or template, allowing an attacker to perform a path traversal attack via a network-based attack vector, requiring no privileges or user interaction, and resulting in a high integrity impact, as the attacker can create files or directories at an arbitrary location with the host process's privileges, potentially leading to arbitrary file creation outside the intended temporary directory, directory creation outside the intended tree, and file content manipulation, which can have significant business consequences, including data corruption, unauthorized access, and system compromise, and this vulnerability can be exploited when an application forwards untrusted request data into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion, and the exploitation requires the attacker to have network access to the vulnerable application.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update tmp to version 0.2.7.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-7c78-jf6q-g5cm