CVE-2026-31802
published 2026-03-10CVE-2026-31802: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction…
PriorityP426medium5.5CVSS 3.1
AVLACLPRLUINSUCNIHAN
EPSS
0.25%
16.5th percentile
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar | < node-tar 6.2.1+ds1+~cs6.1.13-10 (forky) | node-tar 6.2.1+ds1+~cs6.1.13-10 (forky) |
| gnu | tar | >= 0 < 7.5.11 | 7.5.11 |
| isaacs | node-tar | < 7.5.11 | 7.5.11 |
| isaacs | node-tar | >= 0 < 6.2.1+ds1+~cs6.1.13-10 | 6.2.1+ds1+~cs6.1.13-10 |
| isaacs | tar | < 7.5.11 | 7.5.11 |
| msrc | azl3_tar_1.35-2_on_azure_linux_3.0 | — | — |
| msrc | cbl2_tar_1.34-3_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv4.08.2HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.2HIGH
vendor_debian8.2LOW
vendor_msrc8.2HIGH
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
node-tar Symlink Path Traversal via Drive-Relative Linkpath
ghsa·2026-03-10
CVE-2026-31802 [HIGH] CWE-22 node-tar Symlink Path Traversal via Drive-Relative Linkpath
node-tar Symlink Path Traversal via Drive-Relative Linkpath
### Summary
`tar` (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as `C:../../../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction.
### Details
The extraction logic in `Unpack[STRIPABSOLUTEPATH]` validates `..` segments against a resolved path that still uses the original drive-relative value, and only afterwards rewrites the stored `linkpath` to the stripped value.
What happens with `linkpath: "C:../../../target.txt"`:
1. `stripAbsolutePath()` removes `C:` and rewrites the value to `../../../target.txt`.
2. The escape check resolves using the original pre-stripped value, so it is treated as in-bounds
OSV
CVE-2026-31802: node-tar is a full-featured Tar for Node
osv·2026-03-10·CVSS 8.2
CVE-2026-31802 [HIGH] CVE-2026-31802: node-tar is a full-featured Tar for Node
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
OSV
node-tar Symlink Path Traversal via Drive-Relative Linkpath
osv·2026-03-10
CVE-2026-31802 [HIGH] node-tar Symlink Path Traversal via Drive-Relative Linkpath
node-tar Symlink Path Traversal via Drive-Relative Linkpath
### Summary
`tar` (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as `C:../../../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction.
### Details
The extraction logic in `Unpack[STRIPABSOLUTEPATH]` validates `..` segments against a resolved path that still uses the original drive-relative value, and only afterwards rewrites the stored `linkpath` to the stripped value.
What happens with `linkpath: "C:../../../target.txt"`:
1. `stripAbsolutePath()` removes `C:` and rewrites the value to `../../../target.txt`.
2. The escape check resolves using the original pre-stripped value, so it is treated as in-bounds
Microsoft
node-tar Symlink Path Traversal via Drive-Relative Linkpath
vendor_msrc·2026-03-10·CVSS 8.2
CVE-2026-31802 [HIGH] CWE-22 node-tar Symlink Path Traversal via Drive-Relative Linkpath
node-tar Symlink Path Traversal via Drive-Relative Linkpath
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Red Hat
tar: tar: File overwrite via drive-relative symlink traversal
vendor_redhat·2026-03-09·CVSS 8.2
CVE-2026-31802 [HIGH] CWE-22 tar: tar: File overwrite via drive-relative symlink traversal
tar: tar: File overwrite via drive-relative symlink traversal
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
A flaw was found in tar. An attacker can exploit this vulnerability by crafting a malicious tar archive containing a drive-relative symlink. This symlink, such as C:../../../target.txt, can trick the tar utility into writing files outside the intended extraction directory during normal archive extraction, leading to unauthorized file overwrite.
Statement: This is a MODERATE impact v
Debian
CVE-2026-31802: node-tar - node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) ...
vendor_debian·2026·CVSS 8.2
CVE-2026-31802 [HIGH] CVE-2026-31802: node-tar - node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) ...
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Scope: local
bookworm: resolved
bullseye: open
forky: resolved (fixed in 6.2.1+ds1+~cs6.1.13-10)
sid: resolved (fixed in 6.2.1+ds1+~cs6.1.13-10)
trixie: resolved
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-59465 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-59465 [HIGH] CVE-2025-59465 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59465 :
npm vulnerability analysis and mitigation
HTTP/2 HEADERS
HPACK
TLSSocket
ECONNRESET
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
Source : NVD
## 7.5
Score
Published January 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
npm
Node.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
nodejs-devel
nodejs22
Sources
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 15, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 19, 2026
Alpine 3.21 Severity HIGH Has Fix Added at: Apr 06, 2026
Alpine 3.22 Severity HIGH Has Fix Added at: Ja
Wiz
CVE-2025-59466 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-59466 [HIGH] CVE-2025-59466 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59466 :
npm vulnerability analysis and mitigation
async_hooks.createHook()
process.on('uncaughtException')
AsyncLocalStorage
async_hooks.createHook()
Source : NVD
## 7.5
Score
Published January 20, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
npm
Node.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nodejs20-docs
nodejs:20::nodejs
Sources
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 15, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 19, 2026
Alpine 3.21 Severity HIGH Has Fix Added at: Apr 06, 2026
Alpine 3.22 Severity HIGH Has Fix Added at: Jan 23, 2026
Alpine 3.23, ed
Wiz
CVE-2025-55131 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-55131 [HIGH] CVE-2025-55131 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-55131 :
npm vulnerability analysis and mitigation
vm
Buffer.alloc
TypedArray
Uint8Array
Source : NVD
## 7.1
Score
Published January 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
npm
Node.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nodejs20-libs-debuginfo
nodejs22-libs-debuginfo
Sources
NVD
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 15, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 19, 2026
Alpine 3.21 Severity HIGH Has Fix Added at: Apr 06, 2026
Alpine 3.22 Severity HIGH Has Fix Added at: Jan 23, 2026
Alpine 3.23, edge Severity HIGH Has Fix Added at: Jan 18
Wiz
CVE-2026-31802 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-31802 [HIGH] CVE-2026-31802 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31802 :
JavaScript vulnerability analysis and mitigation
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Source : NVD
## 8.2
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nodejs:24::v8-12.4-devel
tar
Wiz
CVE-2026-21637 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-21637 [HIGH] CVE-2026-21637 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21637 :
npm vulnerability analysis and mitigation
pskCallback
ALPNCallback
Source : NVD
## 7.5
Score
Published January 20, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
npm
Node.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nodejs-docs
nodejs:24::nodejs-libs
Sources
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 15, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 19, 2026
Alpine 3.21 Severity HIGH Has Fix Added at: Apr 06, 2026
Alpine 3.22 Severity HIGH Has Fix Added at: Jan 23, 2026
Alpine 3.23, edge Severity HIGH Has Fix Added at: Jan 18, 2026
CBL-Mariner 3.0 Severity
Bugzilla
CVE-2026-31802 tar: tar: File overwrite via drive-relative symlink traversal
bugzilla·2026-03-09·CVSS 8.2
CVE-2026-31802 [HIGH] CVE-2026-31802 tar: tar: File overwrite via drive-relative symlink traversal
CVE-2026-31802 tar: tar: File overwrite via drive-relative symlink traversal
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
2026-03-10
Published