CVE-2026-31802

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

CVSS

No CVSS.

References

Link	Resource
https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad
https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256
https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256

Configurations

No configuration.

History

11 Mar 2026, 13:53

Type	Values Removed	Values Added
Summary		(es) node-tar es una implementación completa de Tar para Node.js. Antes de la versión 7.5.11, tar (npm) puede ser engañado para crear un enlace simbólico que apunta fuera del directorio de extracción utilizando un destino de enlace simbólico relativo a la unidad, como C:../../../target.txt, lo que permite la sobrescritura de archivos fuera del directorio de trabajo actual (cwd) durante la extracción normal de tar.x(). Esta vulnerabilidad está corregida en la versión 7.5.11.

10 Mar 2026, 18:19

Type	Values Removed	Values Added
References	~~() https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256 -~~	() https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256 -

10 Mar 2026, 07:44

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-10 07:44

Updated : 2026-03-11 13:53

NVD link : CVE-2026-31802

Mitre link : CVE-2026-31802

CVE.ORG link : CVE-2026-31802

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-31802", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-10T07:44:58.020", "references": [{"url": "https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad", "source": "security-advisories@github.com"}, {"url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256", "source": "security-advisories@github.com"}, {"url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11."}, {"lang": "es", "value": "node-tar es una implementaci\u00f3n completa de Tar para Node.js. Antes de la versi\u00f3n 7.5.11, tar (npm) puede ser enga\u00f1ado para crear un enlace simb\u00f3lico que apunta fuera del directorio de extracci\u00f3n utilizando un destino de enlace simb\u00f3lico relativo a la unidad, como C:../../../target.txt, lo que permite la sobrescritura de archivos fuera del directorio de trabajo actual (cwd) durante la extracci\u00f3n normal de tar.x(). Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 7.5.11."}], "lastModified": "2026-03-11T13:53:47.157", "sourceIdentifier": "security-advisories@github.com"}