Main Vulnerability Database SB2025110743

SB2025110743 - Link following in node-tmp

Published: November 7, 2025

Security Bulletin ID SB2025110743

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Link following (CVE-ID: CVE-2025-54798)

The vulnerability allows a local user to modify data on the system.

The vulnerability exists due to an insecure link following issue. A local user can create a specially crafted symbolic link to a critical file on the system and overwrite it with privileges of the application.

Remediation

Install update from vendor's website.

References

https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b
https://github.com/raszi/node-tmp/issues/207
https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6
https://lists.debian.org/debian-lts-announce/2025/08/msg00007.html