VYPR
High severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026

node-tar Symlink Path Traversal via Drive-Relative Linkpath

CVE-2026-31802

Description

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tarnpm
< 7.5.117.5.11

Affected products

54

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.