VulnerableCode Package Details - pkg:npm/tar-fs@3.0.8

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/tar-fs@3.0.8

Essentials
History (2)

purl	pkg:npm/tar-fs@3.0.8

Next non-vulnerable version	3.1.1
Latest non-vulnerable version	3.1.1
Risk	4.0

Vulnerabilities affecting this package (2)

Vulnerability	Summary	Fixed by
VCID-9yvn-36su-rba9 Aliases: CVE-2025-48387 GHSA-8cj5-5rvv-wf4v	tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.	3.0.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-q8uf-4z9d-jqe9 Aliases: CVE-2025-59343 GHSA-vj76-c3g6-qr5v		3.1.1 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T20:21:46.605887+00:00	GitLab Importer	Affected by	VCID-q8uf-4z9d-jqe9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar-fs/CVE-2025-59343.yml	38.6.0
2026-06-12T20:03:15.641749+00:00	GitLab Importer	Affected by	VCID-9yvn-36su-rba9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar-fs/CVE-2025-48387.yml	38.6.0