A type-confusion flaw in the node-tmp library enables attackers to bypass path guards and create files or directories in arbitrary locations on the filesystem.

The _assertPath guard in node-tmp version 0.2.6 can be bypassed using type confusion. When an attacker provides non-string values for the prefix, postfix, or template parameters, the validation logic fails, permitting the creation of temporary files or directories outside of intended safe directories.

With a CVSS score of 8.2, this vulnerability allows for unauthorized filesystem manipulation. An attacker could potentially overwrite critical configuration files, plant malicious scripts, or disrupt system operations, leading to a full compromise of the host environment where the Node.js application resides.

Immediate Action: Update the node-tmp dependency in your package.json to version 0.2.7 or later to implement the corrected path validation logic.

Proactive Monitoring: Review filesystem activity logs for the creation of unexpected files or directories in sensitive system paths, particularly those initiated by the user account running the application.

Compensating Controls: Run the application within a containerized environment with a read-only filesystem or restricted permissions to limit the scope of potential arbitrary file creation.

Public Exploit Available: false

Dependency-related vulnerabilities are often overlooked in the software supply chain. Developers must immediately update node-tmp to version 0.2.7 to close this path traversal vector and prevent potential arbitrary file system access.