CVE-2025-54798 LOW

CVE-2025-54798: tmp does not restrict arbitrary temporary file / directory write via symbolic link `dir` parameter

Vendor Raszi
Product node-tmp
Weakness CWE-59
Published August 7, 2025
Last update November 3, 2025

CVSS base score

2.5/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.

Key dates

02Disclosure timeline

August 7, 2025 CVE published
November 3, 2025 Record updated