Alert IDs:
- 078f6ef6-cad1-4679-9d8a-6919c6a4ff93
- 3831b3cf-8e1d-4640-96b1-febf283efbba
- 6cb50d11-0c32-4d02-a680-124218a3b748
- 8e9384de-2532-448c-90f6-8986265bd9b7
- f6d0c573-8523-430f-a766-c5d77cfc41ff
- f857e18e-0811-4e6d-b890-5a71a99b8623
Vulnerabilities in tar
Release: 1.0.125
Total Vulnerabilities: 6
Severity: HIGH (Score: 7.1)
Description:
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-26960
Alert ID: 078f6ef6-cad1-4679-9d8a-6919c6a4ff93
Severity: MEDIUM (Score: 5.9)
Description:
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the path-reservations system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., ß and ss), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a PathReservations system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using NFD Unicode normalization (in which ß and ss are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which ß causes an inode collision with ss)). This enables an attacker to circumvent internal parallelization locks (PathReservations) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates path-reservations.js to use a normalization form that matches the target filesystem's behavior (e.g., NFKD), followed by first toLocaleLowerCase('en') and then toLocaleUpperCase('en'). As a workaround, users who cannot upgrade promptly, and who are programmatically using node-tar to extract arbitrary tarball data should filter out all SymbolicLink entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23950
Alert ID: 3831b3cf-8e1d-4640-96b1-febf283efbba
Severity: HIGH (Score: 8.2)
Description:
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-24842
Alert ID: 6cb50d11-0c32-4d02-a680-124218a3b748
Severity: MEDIUM (Score: 5.5)
Description:
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-31802
Alert ID: 8e9384de-2532-448c-90f6-8986265bd9b7
Severity: MEDIUM (Score: 6.3)
Description:
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-29786
Alert ID: f6d0c573-8523-430f-a766-c5d77cfc41ff
Severity: MEDIUM (Score: 6.1)
Description:
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23745
Alert ID: f857e18e-0811-4e6d-b890-5a71a99b8623
Alert IDs:
Vulnerabilities in tar
Release: 1.0.125
Total Vulnerabilities: 6
1. CVE-2026-26960
Severity: HIGH (Score: 7.1)
Description:
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-26960
Alert ID: 078f6ef6-cad1-4679-9d8a-6919c6a4ff93
2. CVE-2026-23950
Severity: MEDIUM (Score: 5.9)
Description:
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the
path-reservationssystem. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g.,ßandss), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses aPathReservationssystem to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of usingNFDUnicode normalization (in whichßandssare different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in whichßcauses an inode collision withss)). This enables an attacker to circumvent internal parallelization locks (PathReservations) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updatespath-reservations.jsto use a normalization form that matches the target filesystem's behavior (e.g.,NFKD), followed by firsttoLocaleLowerCase('en')and thentoLocaleUpperCase('en'). As a workaround, users who cannot upgrade promptly, and who are programmatically usingnode-tarto extract arbitrary tarball data should filter out allSymbolicLinkentries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23950
Alert ID: 3831b3cf-8e1d-4640-96b1-febf283efbba
3. CVE-2026-24842
Severity: HIGH (Score: 8.2)
Description:
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-24842
Alert ID: 6cb50d11-0c32-4d02-a680-124218a3b748
4. CVE-2026-31802
Severity: MEDIUM (Score: 5.5)
Description:
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-31802
Alert ID: 8e9384de-2532-448c-90f6-8986265bd9b7
5. CVE-2026-29786
Severity: MEDIUM (Score: 6.3)
Description:
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-29786
Alert ID: f6d0c573-8523-430f-a766-c5d77cfc41ff
6. CVE-2026-23745
Severity: MEDIUM (Score: 6.1)
Description:
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2026-23745
Alert ID: f857e18e-0811-4e6d-b890-5a71a99b8623