CodeQL documentation

Insecure temporary file

ID: js/insecure-temporary-file
Kind: path-problem
Severity: warning
Precision: medium
   - external/cwe/cwe-377
   - external/cwe/cwe-378
   - security
Query suites:
   - javascript-security-extended.qls
   - javascript-security-and-quality.qls

Click to see the query in the CodeQL repository

Temporary files created in the operating system’s temporary directory are by default accessible to other users. In some cases, this can lead to information exposure, or in the worst case, to remote code execution.


Use a well-tested library like tmp for creating temporary files. These libraries ensure both that the file is inaccessible to other users and that the file does not already exist.


The following example creates a temporary file in the operating system’s temporary directory.

const fs = require('fs');
const os = require('os');
const path = require('path');

const file = path.join(os.tmpdir(), "test-" + (new Date()).getTime() + ".txt");
fs.writeFileSync(file, "content");

The file created above is accessible to other users, and there is no guarantee that the file does not already exist.

The below example uses the tmp library to securely create a temporary file.

const fs = require('fs');
const tmp = require('tmp');

const file = tmp.fileSync().name;
fs.writeFileSync(file, "content");


  • © GitHub, Inc.
  • Terms
  • Privacy