CVE-2025-54798

Name of the Vulnerable Software and Affected Versions tmp versions 0.2.3 and below

Description The tmp node.js module versions 0.2.3 and below is susceptible to an arbitrary temporary file/directory write vulnerability due to improper handling of symbolic links when resolving paths. Specifically, the resolvePath function does not adequately address symbolic links, allowing a malicious actor to bypass the intended restrictions on temporary file creation locations. By providing a dir parameter that points to a symbolic link resolving to a directory outside the designated temporary directory, an attacker can write temporary files to arbitrary locations on the system.

Recommendations Update to version 0.2.4 or later to address this vulnerability.