{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/tmp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["tmp"],"_cs_severities":["high"],"_cs_tags":["path traversal","npm package","tmp"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003etmp\u003c/code\u003e npm package is vulnerable to path traversal due to insufficient input sanitization in its file and directory creation functions. By manipulating the \u003ccode\u003eprefix\u003c/code\u003e, \u003ccode\u003epostfix\u003c/code\u003e, or \u003ccode\u003edir\u003c/code\u003e options, an attacker can write files to arbitrary locations on the file system. This is achieved by including traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) or absolute paths in these options, bypassing the intended temporary directory. The vulnerability affects applications that pass user-controlled data to \u003ccode\u003etmp\u003c/code\u003e\u0026rsquo;s file/directory creation functions without proper validation, allowing an attacker to create or overwrite files with the privileges of the running process. This can lead to web application configuration poisoning, cache poisoning, or other security bypasses. The affected versions are all versions prior to the fix. This was reported by Mapta / BugBunny_ai.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts malicious input containing path traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) within the \u003ccode\u003eprefix\u003c/code\u003e, \u003ccode\u003epostfix\u003c/code\u003e, or \u003ccode\u003edir\u003c/code\u003e options of the \u003ccode\u003etmp\u003c/code\u003e package\u0026rsquo;s functions.\u003c/li\u003e\n\u003cli\u003eThe application, without proper sanitization, passes this attacker-controlled input to the \u003ccode\u003etmp.file()\u003c/code\u003e or \u003ccode\u003etmp.dir()\u003c/code\u003e functions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etmp\u003c/code\u003e package constructs a file path by concatenating the \u003ccode\u003etmpdir\u003c/code\u003e, \u003ccode\u003edir\u003c/code\u003e, \u003ccode\u003eprefix\u003c/code\u003e, and \u003ccode\u003epostfix\u003c/code\u003e options.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epath.join()\u003c/code\u003e function normalizes the path, resolving the traversal sequences and potentially allowing the final path to escape the intended temporary directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etmp\u003c/code\u003e package attempts to create a file or directory at the constructed path using \u003ccode\u003efs.writeFileSync()\u003c/code\u003e or similar functions.\u003c/li\u003e\n\u003cli\u003eDue to the path traversal, the file or directory is created outside the intended temporary directory, potentially in a sensitive location.\u003c/li\u003e\n\u003cli\u003eDepending on the attacker\u0026rsquo;s chosen location, they can achieve effects such as web application configuration poisoning or cache poisoning.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access or control over the application or system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to create files outside the intended temporary directories, leading to arbitrary file creation with the privileges of the running process. This can result in various attack scenarios, including web application configuration poisoning, cache poisoning, build pipeline compromise, container escape attempts, and multi-tenant service bypass. For instance, an attacker could overwrite application configuration files, inject malicious code into cached content, or gain access to sensitive data. The vulnerability has a CVSS v3.1 score of 8.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement input validation and sanitization for the \u003ccode\u003eprefix\u003c/code\u003e, \u003ccode\u003epostfix\u003c/code\u003e, and \u003ccode\u003edir\u003c/code\u003e options before passing them to the \u003ccode\u003etmp.file()\u003c/code\u003e or \u003ccode\u003etmp.dir()\u003c/code\u003e functions, as described in the Remediation section of this brief.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation events outside expected temporary directories using file system monitoring tools, as demonstrated in the Detection and Monitoring section of this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious tmp NPM Package Path Traversal via Prefix/Postfix\u0026rdquo; to identify exploitation attempts by detecting path traversal sequences in process command lines.\u003c/li\u003e\n\u003cli\u003eApply the safe TmpFile workaround described in the Remediation section to strip out unsafe characters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T00:36:17Z","date_published":"2026-05-27T00:36:17Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tmp-path-traversal/","summary":"The tmp npm package contains a path traversal vulnerability (CVE-2026-44705) that allows writing files outside the intended temporary directory when untrusted data flows into the `prefix`, `postfix`, or `dir` options, leading to arbitrary file creation.","title":"tmp NPM Package Path Traversal Vulnerability (CVE-2026-44705)","url":"https://feed.craftedsignal.io/briefs/2026-05-tmp-path-traversal/"}],"language":"en","title":"CraftedSignal Threat Feed — Tmp","version":"https://jsonfeed.org/version/1.1"}