CVE-2025-54798 — node-tmp - security update

Description

tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.

How to fix CVE-2025-54798

To remediate CVE-2025-54798, upgrade the affected package to a fixed version below.

Debian/node-tmp—upgrade to 0.2.1+dfsg-1+deb11u1 or later
—upgrade to 0.2.1+dfsg-1+deb11u1 or later
—upgrade to 0.2.4 or later

Is CVE-2025-54798 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 0.2.1+dfsg-1+deb11u1
from 0, < 0.2.1+dfsg-1+deb11u1
from 0, < 0.2.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW2.5	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-54798
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-54798
PATCHgithub.com/raszi/node-tmp
WEBgithub.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b
WEB