CVE-2026-44705
Description
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tmpnpm | < 0.2.6 | 0.2.6 |
Affected products
102- osv-coords101 versionspkg:apk/chainguard/arangodb-3.11pkg:apk/chainguard/authentik-2026.5pkg:apk/chainguard/authentik-fips-2026.5pkg:apk/chainguard/homepagepkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/langfuse-2-workerpkg:apk/chainguard/langfuse-fips-2-workerpkg:apk/chainguard/lernapkg:apk/chainguard/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-3-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-3-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-3-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-3-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-3-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/opensearch-dashboards-3-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-3-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-3-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-3-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-security-dashboards-pluginpkg:apk/chainguard/prismpkg:apk/chainguard/pulumi-language-nodejspkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/vitess-23pkg:apk/chainguard/wazuh-dashboard-dashboards-reportingpkg:apk/chainguard/wazuh-dashboard-dashboards-reporting-fipspkg:apk/wolfi/lernapkg:apk/wolfi/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-2-dashboards-notificationspkg:apk/wolfi/opensearch-dashboards-2-dashboards-observabilitypkg:apk/wolfi/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/wolfi/opensearch-dashboards-2-dashboards-visualizationspkg:apk/wolfi/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/wolfi/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/opensearch-dashboards-3-alerting-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-3-anomaly-detection-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-3-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-3-dashboards-notificationspkg:apk/wolfi/opensearch-dashboards-3-dashboards-observabilitypkg:apk/wolfi/opensearch-dashboards-3-dashboards-query-workbenchpkg:apk/wolfi/opensearch-dashboards-3-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-3-dashboards-search-relevancepkg:apk/wolfi/opensearch-dashboards-3-index-management-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-3-ml-commons-dashboardspkg:apk/wolfi/opensearch-dashboards-3-security-analytics-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-3-security-dashboards-pluginpkg:apk/wolfi/prismpkg:apk/wolfi/pulumi-language-nodejspkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/vitess-23
< 3.11.14.4-r3+ 100 more
- (no CPE)range: < 3.11.14.4-r3
- (no CPE)range: < 2026.5.3-r5
- (no CPE)range: < 2026.5.3-r4
- (no CPE)range: < 1.13.2-r1
- (no CPE)range: < 8.17.10-r22
- (no CPE)range: < 8.17.10-r22
- (no CPE)range: < 8.17.10-r22
- (no CPE)range: < 2.95.12-r24
- (no CPE)range: < 2.95.12-r26
- (no CPE)range: < 9.0.7-r6
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r7
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 5.15.10-r2
- (no CPE)range: < 3.244.0-r0
- (no CPE)range: < 43.170.15-r3
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 23.0.4-r5
- (no CPE)range: < 4.14.5-r3
- (no CPE)range: < 4.14.5-r3
- (no CPE)range: < 9.0.7-r6
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 2.19.5-r13
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 3.6.0-r5
- (no CPE)range: < 5.15.10-r2
- (no CPE)range: < 3.244.0-r0
- (no CPE)range: < 43.170.15-r3
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 23.0.4-r5
Patches
Vulnerability mechanics
References
4- github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-ph9p-34f9-6g65ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-44705ghsaADVISORY
- github.com/raszi/node-tmp/commit/efa4a06f24374797ae32ab2b6ae39b7a611ae429ghsaWEB
News mentions
0No linked articles in our index yet.