2.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54798

CVE-2025-54798: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

Summary

tmp@0.2.3 is vulnerable to an Arbitrary temporary file / directory write via symbolic link dir parameter.

Details

According to the documentation there are some conditions that must be held:

// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50

Other breaking changes, i.e.

- template must be relative to tmpdir
- name must be relative to tmpdir
- dir option must be relative to tmpdir //<-- this assumption can be bypassed using symlinks

are still in place.

In order to override the system's tmpdir, you will have to use the newly
introduced tmpdir option.


// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375
* `dir`: the optional temporary directory that must be relative to the system's default temporary directory.
     absolute paths are fine as long as they point to a location under the system's default temporary directory.
     Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access, 
     as tmp will not check the availability of the path, nor will it establish the requested path for you.

Related issue: https://github.com/raszi/node-tmp/issues/207.

The issue occurs because _resolvePath does not properly handle symbolic link when resolving paths:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579
function _resolvePath(name, tmpDir) {
  if (name.startsWith(tmpDir)) {
    return path.resolve(name);
  } else {
    return path.resolve(path.join(tmpDir, name));
  }
}

If the dir parameter points to a symlink that resolves to a folder outside the tmpDir, it's possible to bypass the _assertIsRelative check used in _assertAndSanitizeOptions:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609
function _assertIsRelative(name, option, tmpDir) {
  if (option === 'name') {
    // assert that name is not absolute and does not contain a path
    if (path.isAbsolute(name))
      throw new Error(`${option} option must not contain an absolute path, found "${name}".`);
    // must not fail on valid .<name> or ..<name> or similar such constructs
    let basename = path.basename(name);
    if (basename === '..' || basename === '.' || basename !== name)
      throw new Error(`${option} option must not contain a path, found "${name}".`);
  }
  else { // if (option === 'dir' || option === 'template') {
    // assert that dir or template are relative to tmpDir
    if (path.isAbsolute(name) && !name.startsWith(tmpDir)) {
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${name}".`);
    }
    let resolvedPath = _resolvePath(name, tmpDir); //<--- 
    if (!resolvedPath.startsWith(tmpDir))
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${resolvedPath}".`);
  }
}

Miggo Vulnerability Database

→

CVE-2025-54798

CVE-2025-54798:

2.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tmp	npm	<= 0.2.3	0.2.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because the tmp library did not correctly handle symbolic links when validating user-provided directory paths. The root cause is in the _resolvePath function, which used path.resolve instead of a function that resolves symbolic links, like fs.realpathSync. This allowed an attacker to specify a dir option that is a symbolic link pointing to a location outside of the intended temporary directory, bypassing the security checks in _assertIsRelative.

The exploitation of this vulnerability occurs through user-facing functions like fileSync, dirSync, and their asynchronous counterparts (file, dir), which all rely on the flawed path validation logic. The provided patch addresses the issue by removing the vulnerable _resolvePath and _assertIsRelative functions and replacing them with new logic (_resolvePathSync, _getRelativePathSync) that correctly resolves symbolic links using fs.realpathSync before performing the validation checks. Therefore, any function that creates temporary files or directories using a user-supplied dir option was vulnerable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

2.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-54798: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

Summary

Details

CVE-2025-54798:

2.5

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Detect and Respond To Threats Faster.

Basic Information

Basic Information

2.5

2.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

Technical Details

CVE-2025-54798: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

Summary

Details

PoC

Impact

2.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-54798: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

Summary

Details

CVE-2025-54798:

2.5

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

2.5

2.5

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Technical Details

CVE-2025-54798: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

Summary

Details

PoC

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI