CVE-2026-44705: tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape

May 27, 2026

The tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp’s file/directory creation functions without proper input sanitization.

References

github.com/advisories/GHSA-ph9p-34f9-6g65
github.com/raszi/node-tmp/commit/efa4a06f24374797ae32ab2b6ae39b7a611ae429
github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65
nvd.nist.gov/vuln/detail/CVE-2026-44705

Code Behaviors & Features

Detect and mitigate CVE-2026-44705 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →