Directory Traversal Affecting renovate package, versions <43.170.15-r3
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CHAINGUARDLATEST-RENOVATE-17239699
- published9 Jun 2026
- disclosed11 Jun 2026
Introduced: 9 Jun 2026
NewCVE-2026-44705 (opens in a new tab)How to fix?
Upgrade Chainguard renovate to version 43.170.15-r3 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream renovate package and not the renovate package as distributed by Chainguard.
See How to fix? for Chainguard relevant fixed versions and status.
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.