tmp Node.js Library Symbolic Link Vulnerability Allows Arbitrary File Write

A vulnerability exists in the tmp library for Node.js, specifically in versions prior to 0.2.3. The issue allows for arbitrary writing of temporary files or directories through the symbolic link 'dir' parameter. This vulnerability arises because the 'dir' option can be made to point to a location outside the standard temporary directory, bypassing safety checks. The problem is rooted in the '_resolvePath' function, which does not correctly handle symbolic links when determining file paths. As a result, it is possible to exploit this flaw by creating a symlink that points to a directory outside the intended temporary directory, leading to unauthorized file writes.

Impact

Exploitation of this vulnerability allows for arbitrary writing of temporary files or directories outside the designated temporary directory, which could disrupt normal application operations or lead to unauthorized data access.

Reproduction

To reproduce this vulnerability, create a symbolic link in the temporary directory that points to a location outside of it. Then, use the 'dir' option to specify a directory through the symlink, which will bypass the relative path check and allow files to be written outside the intended temporary directory.

Remediation

Users should update to tmp version 0.2.4 or later, where this vulnerability has been fixed.