Description
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Published: 2026-03-09
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal / File Overwrite
Action: Patch immediately
AI Analysis

Impact

node-tar is a popular tar implementation for Node.js. A flaw in versions prior to 7.5.11 allows an attacker to craft a tar archive that contains a symlink with a drive‑relative target such as C:../../../target.txt. When the archive is extracted with tar.x(), the symlink points outside the intended extraction directory, permitting the extraction process to overwrite files located anywhere on the same drive. This path traversal vulnerability can thus change, delete, or overwrite arbitrary files, leading to integrity compromise or, if critical system files are targeted, potential privilege escalation.

Affected Systems

The affected product is isaacs' node-tar, bundled in Node.js environments. All releases older than 7.5.11 are vulnerable, including 7.5.10 and earlier. Users of Node.js applications that depend on node-tar for archive extraction should verify the installed version and upgrade as soon as possible.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. The EPSS score is below 1%, suggesting that exploitation is currently uncommon, and the vulnerability is not listed in the CISA KEV catalog. However, the attack path is straightforward: an attacker can supply a malicious tar archive to any process that uses node-tar for extraction, and the vulnerability will allow the attacker to overwrite arbitrary files located on the same drive. Because the symlink requires a drive‑relative target, the risk is mainly for Windows environments; based on the description, this is inferred as the default OS requires drive letters, but non‑Windows users may still be affected if similar path handling occurs. Environment hardening and timely patching are essential.

Generated by OpenCVE AI on April 17, 2026 at 11:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade node-tar to version 7.5.11 or later
  • If upgrading is not immediately possible, configure the application to reject tar entries that are symlinks or that target paths containing drive‑relative components, before invoking tar.x()
  • Limit the extraction destination to a directory that resides on a different drive or on a filesystem that the application cannot modify, and run the extraction process with the least privileges necessary

Generated by OpenCVE AI on April 17, 2026 at 11:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9ppj-qmqm-q256 node-tar Symlink Path Traversal via Drive-Relative Linkpath
History

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Wed, 11 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

threat_severity

Moderate

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Isaacs
Isaacs tar
Vendors & Products Isaacs
Isaacs tar

Mon, 09 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Title node-tar Symlink Path Traversal via Drive-Relative Linkpath
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Isaacs Tar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T14:56:35.229Z

Reserved: 2026-03-09T16:33:42.913Z

Link: CVE-2026-31802

cve-icon Vulnrichment

Updated: 2026-03-10T14:56:23.927Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T07:44:58.020

Modified: 2026-03-18T18:13:34.703

Link: CVE-2026-31802

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-09T21:11:56Z

Links: CVE-2026-31802 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:00:11Z

Weaknesses