Bug 2386976 (CVE-2025-54798)
| Summary: | CVE-2025-54798 tmp: tmp Symbolic Link Write Vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aarif, aazores, abarbaro, adkhan, alcohan, alizardo, anjoseph, anpicker, aprice, aschwart, asoldano, aszczucz, bbaranow, bdettelb, bkabrda, bmaxwell, boliveir, bparees, brian.stansberry, bstansbe, caswilli, cmah, darran.lofthouse, dfreiber, dhanak, dkreling, dlofthou, doconnor, dosoudil, drichtar, drosa, drow, dschmidt, dsimansk, eaguilar, ebaron, eborisov, erezende, eric.wittmann, ewittman, gmalinko, gotiwari, gparvin, gryan, gzaronik, haoli, hasun, hkataria, ibek, istudens, ivassile, iweiss, jajackso, janstey, jbalunas, jburrell, jcammara, jcantril, jchui, jfula, jhe, jhuff, jkoehler, jlanda, jmitchel, jneedle, jolong, jowilson, jprabhak, jrokos, jwendell, kaycoth, kbempah, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lball, lchilton, lphiri, mabashia, manissin, mattdavi, matzew, mnovotny, mosmerov, mpierce, mposolda, msochure, mstipich, msvehla, mvyas, nboldt, ngough, nipatil, njean, nwallace, nyancey, oaljalju, ometelka, owatkins, pahickey, pantinor, pberan, pbizzarr, pbraun, pdelbell, pesilva, pjindal, pmackay, psrna, ptisnovs, rcernich, rexwhite, rhaigner, rhel-process-autobot, rkubis, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sfeifer, shvarugh, simaishi, smaestri, smcdonal, solenoci, ssilvert, stcannon, sthirugn, sthorger, syedriko, teagle, tfister, thavo, thjenkin, tom.jenkinson, vdosoudi, veshanka, vkumar, vmuzikar, watson-tool-maintainers, wtam, xdharmai, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in tmp. The `tmp` module, used for creating temporary files and directories in Node.js, allows an arbitrary temporary file or directory write due to insufficient validation of the symbolic link parameter. This vulnerability allows a local attacker to provide a crafted symbolic link. This issue allows the creation of temporary files or directories at attacker-specified locations, potentially leading to unexpected behavior.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2387011, 2387014, 2387016, 2387018, 2387012, 2387013, 2387015, 2387017, 2387019, 2387020, 2387021, 2387022 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-08-07 01:01:13 UTC
|