Improper Input Validation Affecting lerna package, versions <9.0.7-r9


Severity

Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.5% (39th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-WOLFILATEST-LERNA-17496031
  • published25 Jun 2026
  • disclosed11 Jun 2026

Introduced: 11 Jun 2026

NewCVE-2026-49982  (opens in a new tab)
CWE-20  (opens in a new tab)
CWE-22  (opens in a new tab)

How to fix?

Upgrade Wolfi lerna to version 9.0.7-r9 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream lerna package and not the lerna package as distributed by Wolfi. See How to fix? for Wolfi relevant fixed versions and status.

tmp is a temporary file and directory creator for node.js. In version 0.2.6, the _assertPath guard added to tmp rejects only string values that contain the substring ... It is bypassed when prefix, postfix, or template is supplied as a non-string value (Array, Buffer, or any object) whose includes('..') returns falsy but whose stringification still contains ../. The value flows through Array.prototype.join/String coercion inside _generateTmpName and path.join(tmpDir, opts.dir, name), producing a final path that escapes tmpdir and creates a file or directory at an attacker-controlled location with the host process's privileges. This affects any application that forwards untrusted request data (a common pattern is JSON body fields or qs-parsed bracket-array query strings such as ?prefix[]=...) into tmp.file, tmp.fileSync, tmp.dir, tmp.dirSync, tmp.tmpName, or tmp.tmpNameSync without explicit type coercion. This vulnerability is fixed in 0.2.7.