CVE-2026-44705: 
JavaScript Analisi e mitigazione delle vulnerabilità

CVE-2026-44705 is a path traversal vulnerability (CWE-22) in the tmp npm package (github.com/raszi/node-tmp) that allows attackers to cause files to be created outside the intended temporary directory by embedding traversal sequences (e.g., ../) or path separators in the prefix, postfix, or dir options. All versions prior to 0.2.6 are affected; version 0.2.6 contains the fix. The vulnerability was published on May 26, 2026, and reported by Mapta / BugBunny_ai. It carries a CVSS v4.0 base score of 7.7 (High) (GitHub Advisory).

The root cause is in tmp's path construction logic (lib/tmp.js), where user-supplied prefix, postfix, and dir options are directly concatenated into file paths without sanitization or containment validation (CWE-22). The filename is built as `${opts.prefix}-${process.pid}-${randomString}-${opts.postfix}` and the final path is computed via path.join(tmpDir, opts.dir, name) — Node.js's path.join() normalizes ../ sequences, allowing directory escape. Additionally, if opts.dir is an absolute path, path.join() ignores tmpDir entirely, enabling a full bypass. The fix in commit efa4a06 adds a _assertPath() check that throws an error if .. is present in prefix, postfix, or template, and corrects the dir containment check to use path.relative() instead of startsWith() (GitHub Advisory, Patch Commit).

Successful exploitation allows an attacker to create files at arbitrary, attacker-controlled locations on the filesystem with the privileges of the running Node.js process. This can lead to web application configuration poisoning (malicious config files loaded on restart), cache poisoning across tenants in multi-tenant SaaS environments, compromise of CI/CD build pipelines by placing malicious artifacts in build output directories, and potential cross-tenant data access or privilege escalation. The CVSS v4.0 scoring reflects a high confidentiality impact on the vulnerable system, with potential for significant integrity consequences depending on what files are overwritten or injected (GitHub Advisory).

Upgrade the tmp npm package to version 0.2.6 or later, which introduces input validation rejecting any prefix, postfix, or template values containing .., and fixes the dir containment check to use path.relative() for robust boundary enforcement (Patch Commit). As an immediate workaround for applications that cannot upgrade, sanitize all user-supplied values before passing them to tmp: use path.basename() on prefix, restrict postfix to alphanumeric characters and safe symbols ([^A-Za-z0-9._-]), and never pass user-controlled data to the dir option. Additionally, add post-construction path validation using path.relative() to confirm the generated path remains within the expected base directory (GitHub Advisory, node-tmp Advisory).