High severityNVD Advisory· Published Mar 9, 2026· Updated Mar 10, 2026
node-tar Symlink Path Traversal via Drive-Relative Linkpath
CVE-2026-31802
Description
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarnpm | < 7.5.11 | 7.5.11 |
Affected products
54- osv-coords53 versionspkg:apk/chainguard/actions-runnerpkg:apk/chainguard/graalvm-25-ce-nodejspkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-bitnamipkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-bitnamipkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kibana-9.3pkg:apk/chainguard/kibana-9.3-iamguardedpkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/lernapkg:apk/chainguard/node-gyppkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/opensearch-dashboards-3-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-3-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-3-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-3-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-3-fips-security-dashboards-pluginpkg:apk/chainguard/pulumi-language-nodejspkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/sqlpadpkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/wazuh-dashboardpkg:apk/chainguard/wazuh-dashboard-fipspkg:apk/wolfi/kubeflow-centraldashboardpkg:apk/wolfi/lernapkg:apk/wolfi/node-gyppkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/pulumi-language-nodejspkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/sqlpadpkg:apk/wolfi/tileserver-glpkg:npm/tar
< 2.332.0-r2+ 52 more
- (no CPE)range: < 2.332.0-r2
- (no CPE)range: < 25.0.2-r5
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.0.8-r14
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.2.6-r1
- (no CPE)range: < 9.2.6-r1
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 9.3.1-r1
- (no CPE)range: < 1.10.0-r15
- (no CPE)range: < 9.0.7-r1
- (no CPE)range: < 12.2.0-r2
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 2.19.5-r1
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.5.0-r4
- (no CPE)range: < 3.224.0-r2
- (no CPE)range: < 43.77.8-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r13
- (no CPE)range: < 5.5.0-r8
- (no CPE)range: < 5.5.0-r9
- (no CPE)range: < 4.14.5-r4
- (no CPE)range: < 4.14.5-r4
- (no CPE)range: < 1.10.0-r15
- (no CPE)range: < 9.0.7-r1
- (no CPE)range: < 12.2.0-r2
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 3.224.0-r2
- (no CPE)range: < 43.77.8-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r13
- (no CPE)range: < 5.5.0-r8
- (no CPE)range: < 7.5.11
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-9ppj-qmqm-q256ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31802ghsaADVISORY
- github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6adghsax_refsource_MISCWEB
- github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.