VulnerableCode Package Details - pkg:npm/tar-fs@1.7.0

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/tar-fs@1.7.0

Essentials
History (4)

purl	pkg:npm/tar-fs@1.7.0

Next non-vulnerable version	1.16.6
Latest non-vulnerable version	3.1.1
Risk	10.0

Vulnerabilities affecting this package (4)

Vulnerability	Summary	Fixed by
VCID-9yvn-36su-rba9 Aliases: CVE-2025-48387 GHSA-8cj5-5rvv-wf4v	tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.	1.16.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 2.1.3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.0.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-m381-y8gp-wbg8 Aliases: CVE-2018-20835 GHSA-x2mc-8fgj-3wmr	Improper Input Validation in tar-fs	1.16.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-q8uf-4z9d-jqe9 Aliases: CVE-2025-59343 GHSA-vj76-c3g6-qr5v		1.16.6 Affected by 0 other vulnerabilities. 2.1.4 Affected by 0 other vulnerabilities. 3.1.1 Affected by 0 other vulnerabilities.
VCID-sr61-u29y-k3az Aliases: CVE-2024-12905 GHSA-pq67-2wwv-3xjx	An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.	1.16.4 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.1.2 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.0.7 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T20:21:46.418718+00:00	GitLab Importer	Affected by	VCID-q8uf-4z9d-jqe9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar-fs/CVE-2025-59343.yml	38.6.0
2026-06-12T20:03:15.473921+00:00	GitLab Importer	Affected by	VCID-9yvn-36su-rba9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar-fs/CVE-2025-48387.yml	38.6.0
2026-06-12T19:57:24.046014+00:00	GitLab Importer	Affected by	VCID-sr61-u29y-k3az	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar-fs/CVE-2024-12905.yml	38.6.0
2026-06-12T17:10:40.279168+00:00	GitLab Importer	Affected by	VCID-m381-y8gp-wbg8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar-fs/CVE-2018-20835.yml	38.6.0