DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-49982: CVE-2026-49982: Path Traversal Bypass via Type Confusion in node-tmp

#security #cve #cybersecurity

CVE-2026-49982: Path Traversal Bypass via Type Confusion in node-tmp

Vulnerability ID: CVE-2026-49982
CVSS Score: 8.2
Published: 2026-06-15

A high-severity type-confusion path traversal vulnerability (CVE-2026-49982 / GHSA-7c78-jf6q-g5cm) exists in the node-tmp package version 0.2.6. The vulnerability allows remote attackers to bypass path validation checks by passing non-string data types such as Arrays or duck-typed Objects into options like prefix, postfix, or template. Because the library relies on the .includes() method without verifying the input type, standard array checks evaluate differently than string checks. Downstream string coercion subsequently restores the traversal sequence, allowing files and directories to be created outside the designated temporary directory root. This can result in arbitrary file writes and potential local file execution depending on application context.

TL;DR

A type-confusion vulnerability in node-tmp version 0.2.6 allows path traversal checks to be bypassed using non-string options (such as arrays). This results in arbitrary file and directory creation outside the temporary workspace, potentially leading to unauthorized writes and host compromise.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-20, CWE-22
  • Attack Vector: Network
  • CVSS: 8.2 (High)
  • EPSS Score: 0.00447
  • Impact: Integrity (High), Availability (Low)
  • Exploit Status: Proof of Concept (PoC) available
  • KEV Status: Not listed

Affected Systems

  • Node.js applications running node-tmp version 0.2.6
  • tmp: = 0.2.6 (Fixed in: 0.2.7)

Exploit Details

  • GitHub: Exploit methodology and security advisory details including reproducible scenarios.

Mitigation Strategies

  • Upgrade node-tmp dependency to version 0.2.7 or higher
  • Enforce strict string type validation on all user inputs passed to file-creation APIs
  • Sanitize nested parameters from parsed JSON payloads or bracketed query string structures
  • Ensure host processes run with the least privilege necessary to minimize filesystem access

Remediation Steps:

  1. Run 'npm install tmp@0.2.7' to update the local package dependencies.
  2. Validate the update by checking the package-lock.json or yarn.lock file for version 0.2.7.
  3. Audit application route handlers for any references to tmp.file, tmp.dir, or tmp.tmpName.
  4. Deploy localized input sanitation logic to verify that prefix, postfix, and template options are strict string types.

References

Read the full report for CVE-2026-49982 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)