CVE-2025-54798: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

August 6, 2025 (updated August 7, 2025)

tmp@0.2.3 is vulnerable to an Arbitrary temporary file / directory write via symbolic link dir parameter.

References

github.com/advisories/GHSA-52f5-9888-hmc6
github.com/raszi/node-tmp
github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b
github.com/raszi/node-tmp/issues/207
github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6
nvd.nist.gov/vuln/detail/CVE-2025-54798

Code Behaviors & Features

Detect and mitigate CVE-2025-54798 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →