CVE-2026-31802Path Traversal in Node-tar

CWE-22Path Traversal9 documents8 sources
Severity
8.2HIGHNVD
EPSS
0.0%
top 99.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Isaacs Node-tarIsaacs TARGNU TAR
Timeline
PublishedMar 10

Description

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Affected Packages4 packages

CVEListV5isaacs/node-tar< 7.5.11
Debianisaacs/node-tar< 6.2.1+ds1+~cs6.1.13-10
npmgnu/tar< 7.5.11
NVDisaacs/tar< 7.5.11

🔴Vulnerability Details

4
GHSA
node-tar Symlink Path Traversal via Drive-Relative Linkpath2026-03-10
OSV
CVE-2026-31802: node-tar is a full-featured Tar for Node2026-03-10
OSV
node-tar Symlink Path Traversal via Drive-Relative Linkpath2026-03-10
CVEList
node-tar Symlink Path Traversal via Drive-Relative Linkpath2026-03-09

📋Vendor Advisories

3
Microsoft
node-tar Symlink Path Traversal via Drive-Relative Linkpath2026-03-10
Red Hat
tar: tar: File overwrite via drive-relative symlink traversal2026-03-09
Debian
CVE-2026-31802: node-tar - node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) ...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-31802 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-31802 — Path Traversal in Isaacs Node-tar | cvebase