Search for packages
| purl | pkg:npm/tar-fs@1.16.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9yvn-36su-rba9
Aliases: CVE-2025-48387 GHSA-8cj5-5rvv-wf4v |
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-q8uf-4z9d-jqe9
Aliases: CVE-2025-59343 GHSA-vj76-c3g6-qr5v |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
|
VCID-sr61-u29y-k3az
Aliases: CVE-2024-12905 GHSA-pq67-2wwv-3xjx |
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-m381-y8gp-wbg8 | Improper Input Validation in tar-fs |
CVE-2018-20835
GHSA-x2mc-8fgj-3wmr |