- Package:
- src:node-tmp
- Source:
- src:node-tmp
- Submitter:
- Salvatore Bonaccorso
- Date:
- 2026-06-24 09:07:03 UTC
- Severity:
- normal
- Tags:
Hi, The following vulnerability was published for node-tmp. CVE-2026-44705[0]: | tmp is a temporary file and directory creator for node.js. Prior to | 0.2.6, the tmp npm package contains a path traversal vulnerability | that allows escaping the intended temporary directory when untrusted | data flows into the prefix, postfix, or dir options. By embedding | traversal sequences (e.g., ../) or path separators in these | parameters, attackers can cause files to be created outside the | configured temporary base directory at attacker-controlled locations | with the privileges of the running process. This vulnerability | affects applications that pass user-controlled data to tmp's | file/directory creation functions without proper input sanitization. | This vulnerability is fixed in 0.2.6. Note that the 0.2.6 upstream introduced CVE-2026-49982, so when fixing this issue make sure to not open up the later one and make the fixes complete. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44705 https://www.cve.org/CVERecord?id=CVE-2026-44705 [1] https://github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
Hello, Bug #1139827 in node-tmp reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-tmp/-/commit/80314d7c676dff6b2dbe8b61c328c9ec7f148cdb (this message was generated automatically) -- Greetings https://bugs.debian.org/1139827
Hello, Bug #1139827 in node-tmp reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/js-team/node-tmp/-/commit/80314d7c676dff6b2dbe8b61c328c9ec7f148cdb (this message was generated automatically) -- Greetings https://bugs.debian.org/1139827
We believe that the bug you reported is fixed in the latest version of node-tmp, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1139827@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Xavier Guimard <yadd@debian.org> (supplier of updated node-tmp package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) Format: 1.8 Date: Wed, 24 Jun 2026 10:44:58 +0200 Source: node-tmp Architecture: source Version: 0.2.7+dfsg+~0.2.6-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Xavier Guimard <yadd@debian.org> Closes: 1139827 Changes: node-tmp (0.2.7+dfsg+~0.2.6-1) unstable; urgency=medium . * Team upload * Declare compliance with policy 4.7.4 * Drop "Rules-Requires-Root: no" * Drop "Priority: optional" * debian/watch version 5 * New upstream version (Closes: #1139827, CVE-2026-44705) Checksums-Sha1: 9d31ace36f1be5fa14303334626752938dcdc49a 2382 node-tmp_0.2.7+dfsg+~0.2.6-1.dsc 84650c857096b66145afca3eebae144fe1e80d7a 3300 node-tmp_0.2.7+dfsg+~0.2.6.orig-types-tmp.tar.xz 6e3553c9374de70353b43909dcfcae84c961b3fd 50572 node-tmp_0.2.7+dfsg+~0.2.6.orig.tar.xz 54a3a9e3a13c7253b3794d1156193a0ffce67c48 4424 node-tmp_0.2.7+dfsg+~0.2.6-1.debian.tar.xz Checksums-Sha256: 43c88b175ba712769e2346141c333980660bef3f961f92272a3fe772f2c56834 2382 node-tmp_0.2.7+dfsg+~0.2.6-1.dsc aa766bbc6d3eb8522ab4d60f901240ba0859645dbf4acc31547bb66c1bb19086 3300 node-tmp_0.2.7+dfsg+~0.2.6.orig-types-tmp.tar.xz 47ee713b947b54c553ad7c96b0610401051404915fc7a4e230b2dac3a1ae1ba4 50572 node-tmp_0.2.7+dfsg+~0.2.6.orig.tar.xz 5488a3bd1cda7e364e93372d504b943ea439ebd53a1ff92225b129791e3f4e8b 4424 node-tmp_0.2.7+dfsg+~0.2.6-1.debian.tar.xz Files: b3971839790cacf42a33cea14f6a3502 2382 javascript optional node-tmp_0.2.7+dfsg+~0.2.6-1.dsc c70e2358223e3bbb39638fff31fcf8c3 3300 javascript optional node-tmp_0.2.7+dfsg+~0.2.6.orig-types-tmp.tar.xz 80b75ba801503c41796b40e9835b66c7 50572 javascript optional node-tmp_0.2.7+dfsg+~0.2.6.orig.tar.xz a4376cd017e37a847b496066f63339d2 4424 javascript optional node-tmp_0.2.7+dfsg+~0.2.6-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmo7mT4ACgkQ9tdMp8mZ 7ulFfQ//fMAQDQ8iR8HwMD8sy9SQfrVm90CikL90bactFSXMDABESkoHJgZRW121 q43nOwNl81oDj/dpxXKggfusshMXY+DaOj8j36lAr8sudF2oOplrRLp5mEgJmyZE h1l3q1bmt3LWd4P7s3f353+13L0vmfu+0VK6uSb+Vfcdf/iBAsmkKtJc5VvlJWfs mEOxkZJ93ChnE0CKWAoPz92s74edPKXsLY6gAsPKq+xOBg2OpEjrDsbPs0DAyeqq NOP5EPOEU2AOTIFQPyVtttsyfEEZqORk3JPtUZyqHl/lnhG4L8nAtmfcY0FGVmqt sfzHz3a0Am8CrwiFgD/XgMsOkynM7uJ2h/2rblE7Upr96qtUbq0wCpHpQRkvQGKJ RJ5ym49t8f/jbOBcfCBIi+zTl4bLprPJPG1BuqW0ZCeczdjwgEo0lVD4IeFIHHsj nc1iErD5An88xC1Msy5dMJXPKIpCNq/iN5Ma5bSgs2iGm1OeEMM9xnaliytCs3cf Q+J5I4iccNJJRdlu8nmJhNhwtpY3uTI0XidDyUMhu3Ym2TAvRRSslHsX0NF4bW70 oqqydbnKaw1DF+avXoDCkNVx0d5KPkOw+GZeuXdw88yJnRmqGLM9OwOwXZSihdqc GBFX3+z8K/Dt1Dqv1RppbnR27XJ1PZDlW20kMXWNIntssJf3iLw= =PRfu -----END PGP SIGNATURE-----