Fluid Attacks Database

Description

tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	node-tmp	=0.2.1+dfsg-1 \|\| >=0 <0.2.1+dfsg-1+deb11u1	0.2.1+dfsg-1+deb11u1
debian 12	node-tmp	=0.2.2+dfsg+~0.2.3-1 \|\| >=0 <0.2.2+dfsg+~0.2.3-1.1~deb12u1	0.2.2+dfsg+~0.2.3-1.1~deb12u1
debian 13	node-tmp	=0.2.2+dfsg+~0.2.3-1 \|\| =0.2.2+dfsg+~0.2.3-1.1~deb12u1 \|\| >=0 <0.2.2+dfsg+~0.2.3-1.1~deb13u1	0.2.2+dfsg+~0.2.3-1.1~deb13u1
debian 14	node-tmp	=0.2.2+dfsg+~0.2.3-1 \|\| =0.2.2+dfsg+~0.2.3-1.1~deb12u1 \|\| =0.2.2+dfsg+~0.2.3-1.1~deb13u1 \|\| >=0 <0.2.2+dfsg+~0.2.3-1.1	0.2.2+dfsg+~0.2.3-1.1
npm	tmp	>=0 <0.2.4	0.2.4
rpm rhel8	grafana	-	-
rpm rhel9	grafana	-	-
rpm rhel8	mozjs60	-	-
rpm rhel9	gjs	-	-
rpm rhel9	polkit	-	-

Aliases

1. CVE-2025-547982. NVD-2025-547983. OSV-DEBIAN-2025-547984. OSV-2025-547985. GHSA-52f5-9888-hmc66. GCVE-2025-547987. SECURITY-TRACKER-CVE-2025-547988. lists.debian.org

References

1. https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc62. https://github.com/raszi/node-tmp/issues/2073. https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b