VulnerableCode Package Details - pkg:apk/alpine/nodejs@14.17.6-r0?arch=armhf&distroversion=edge&reponame=main

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1tz4-bphw-rbd3	Path Traversal This npm package has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted.	CVE-2021-37701 GHSA-9r2w-394v-53qc
VCID-7mtb-yaq7-77ep	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The npm package "tar" (aka node-tar) has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.	CVE-2021-37712 GHSA-qq89-hq3f-393p
VCID-9vk1-2ysq-3ygd	UNIX Symbolic Link (Symlink) Following `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist which is included in npm v7.20.7. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.	CVE-2021-39135 GHSA-gmw6-94gg-2rc2
VCID-m4hj-dq8q-67f6	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The npm package "tar" (aka node-tar) has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted.	CVE-2021-37713 GHSA-5955-9wpr-37jh
VCID-myru-vzn7-u7cf	UNIX Symbolic Link (Symlink) Following `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.	CVE-2021-39134 GHSA-2h3h-q99f-3fhc

Vulnerability

Summary

Aliases

VCID-1tz4-bphw-rbd3

Path Traversal This npm package has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted.

CVE-2021-37701
GHSA-9r2w-394v-53qc

VCID-7mtb-yaq7-77ep

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The npm package "tar" (aka node-tar) has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.

CVE-2021-37712
GHSA-qq89-hq3f-393p

VCID-9vk1-2ysq-3ygd

UNIX Symbolic Link (Symlink) Following `@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder. This is accomplished by extracting package contents into a project's `node_modules` folder. If the `node_modules` folder of the root project or any of its dependencies is somehow replaced with a symbolic link, it could allow Arborist to write package dependencies to any arbitrary location on the file system. Note that symbolic links contained within package artifact contents are filtered out, so another means of creating a `node_modules` symbolic link would have to be employed. A `preinstall` script could replace `node_modules` with a symlink. (This is prevented by using `--ignore-scripts`.) An attacker could supply the target with a git repository, instructing them to run `npm install --ignore-scripts` in the root. This may be successful, because `npm install --ignore-scripts` is typically not capable of making changes outside of the project directory, so it may be deemed safe. This is patched in @npmcli/arborist which is included in npm v7.20.7. For more information including workarounds please see the referenced GHSA-gmw6-94gg-2rc2.

CVE-2021-39135
GHSA-gmw6-94gg-2rc2

VCID-m4hj-dq8q-67f6

CVE-2021-37713
GHSA-5955-9wpr-37jh

VCID-myru-vzn7-u7cf

UNIX Symbolic Link (Symlink) Following `@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected folder.

CVE-2021-39134
GHSA-2h3h-q99f-3fhc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-07T13:57:08.990305+00:00	Alpine Linux Importer	Fixing	VCID-1tz4-bphw-rbd3	https://secdb.alpinelinux.org/edge/main.json	38.1.0
2026-04-01T19:28:34.474028+00:00	Alpine Linux Importer	Fixing	VCID-myru-vzn7-u7cf	https://secdb.alpinelinux.org/edge/main.json	38.0.0
2026-04-01T19:20:54.602348+00:00	Alpine Linux Importer	Fixing	VCID-9vk1-2ysq-3ygd	https://secdb.alpinelinux.org/edge/main.json	38.0.0
2026-04-01T19:13:19.392210+00:00	Alpine Linux Importer	Fixing	VCID-m4hj-dq8q-67f6	https://secdb.alpinelinux.org/edge/main.json	38.0.0
2026-04-01T19:09:37.777565+00:00	Alpine Linux Importer	Fixing	VCID-7mtb-yaq7-77ep	https://secdb.alpinelinux.org/edge/main.json	38.0.0