{"url":"http://public2.vulnerablecode.io/api/packages/96837?format=json","purl":"pkg:deb/debian/node-tmp@0.2.1%2Bdfsg-1?distro=trixie","type":"deb","namespace":"debian","name":"node-tmp","version":"0.2.1+dfsg-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.2.1+dfsg-1+deb11u1","latest_non_vulnerable_version":"0.2.5+dfsg+~0.2.6-2","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/25608?format=json","vulnerability_id":"VCID-4hjy-3cmj-67ds","summary":"","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-54798.json","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-54798.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54798","reference_id":"","reference_type":"","scores":[{"value":"0.00469","scoring_system":"epss","scoring_elements":"0.6499","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00469","scoring_system":"epss","scoring_elements":"0.65098","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00469","scoring_system":"epss","scoring_elements":"0.65101","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00469","scoring_system":"epss","scoring_elements":"0.6509","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-54798"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54798","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54798"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/raszi/node-tmp","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/raszi/node-tmp"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00007.html","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2025/08/msg00007.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54798","reference_id":"","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-54798"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110532","reference_id":"1110532","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110532"},{"reference_url":"https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b","reference_id":"188b25e529496e37adaf1a1d9dccb40019a08b1b","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-07T14:04:19Z/"}],"url":"https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b"},{"reference_url":"https://github.com/raszi/node-tmp/issues/207","reference_id":"207","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-07T14:04:19Z/"}],"url":"https://github.com/raszi/node-tmp/issues/207"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2386976","reference_id":"2386976","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2386976"},{"reference_url":"https://github.com/advisories/GHSA-52f5-9888-hmc6","reference_id":"GHSA-52f5-9888-hmc6","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-52f5-9888-hmc6"},{"reference_url":"https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6","reference_id":"GHSA-52f5-9888-hmc6","reference_type":"","scores":[{"value":"2.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-07T14:04:19Z/"}],"url":"https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/96837?format=json","purl":"pkg:deb/debian/node-tmp@0.2.1%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0.2.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96838?format=json","purl":"pkg:deb/debian/node-tmp@0.2.1%2Bdfsg-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0.2.1%252Bdfsg-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96836?format=json","purl":"pkg:deb/debian/node-tmp@0.2.2%2Bdfsg%2B~0.2.3-1.1~deb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0.2.2%252Bdfsg%252B~0.2.3-1.1~deb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96841?format=json","purl":"pkg:deb/debian/node-tmp@0.2.2%2Bdfsg%2B~0.2.3-1.1~deb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0.2.2%252Bdfsg%252B~0.2.3-1.1~deb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96840?format=json","purl":"pkg:deb/debian/node-tmp@0.2.2%2Bdfsg%2B~0.2.3-1.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0.2.2%252Bdfsg%252B~0.2.3-1.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96839?format=json","purl":"pkg:deb/debian/node-tmp@0.2.5%2Bdfsg%2B~0.2.6-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0.2.5%252Bdfsg%252B~0.2.6-2%3Fdistro=trixie"}],"aliases":["CVE-2025-54798","GHSA-52f5-9888-hmc6"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4hjy-3cmj-67ds"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/363566?format=json","vulnerability_id":"VCID-wuab-3ve5-zbgp","summary":"tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-49982","reference_id":"","reference_type":"","scores":[{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16677","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16689","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00052","scoring_system":"epss","scoring_elements":"0.16662","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-49982"},{"reference_url":"https://github.com/raszi/node-tmp/security/advisories/GHSA-7c78-jf6q-g5cm","reference_id":"GHSA-7c78-jf6q-g5cm","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-06-11T18:24:14Z/"}],"url":"https://github.com/raszi/node-tmp/security/advisories/GHSA-7c78-jf6q-g5cm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1088979?format=json","purl":"pkg:deb/debian/node-tmp@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96837?format=json","purl":"pkg:deb/debian/node-tmp@0.2.1%2Bdfsg-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0.2.1%252Bdfsg-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96836?format=json","purl":"pkg:deb/debian/node-tmp@0.2.2%2Bdfsg%2B~0.2.3-1.1~deb12u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0.2.2%252Bdfsg%252B~0.2.3-1.1~deb12u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96841?format=json","purl":"pkg:deb/debian/node-tmp@0.2.2%2Bdfsg%2B~0.2.3-1.1~deb13u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0.2.2%252Bdfsg%252B~0.2.3-1.1~deb13u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/96839?format=json","purl":"pkg:deb/debian/node-tmp@0.2.5%2Bdfsg%2B~0.2.6-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0.2.5%252Bdfsg%252B~0.2.6-2%3Fdistro=trixie"}],"aliases":["CVE-2026-49982"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wuab-3ve5-zbgp"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tmp@0.2.1%252Bdfsg-1%3Fdistro=trixie"}