VYPR

apk package

chainguard/actions-runner

pkg:apk/chainguard/actions-runner

Vulnerabilities (29)

  • CVE-2026-26960Feb 20, 2026
    affected < 2.332.0-r0fixed 2.332.0-r0

    node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as t

  • CVE-2026-25547CriFeb 4, 2026
    affected < 2.331.0-r3fixed 2.331.0-r3

    @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated nume

  • CVE-2026-24842Jan 28, 2026
    affected < 2.331.0-r1fixed 2.331.0-r1

    node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that b

  • CVE-2026-0775HigJan 23, 2026
    affected < 2.331.0-r3fixed 2.331.0-r3

    npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system i

  • CVE-2026-24001Jan 22, 2026
    affected < 2.331.0-r1fixed 2.331.0-r1

    jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop.

  • CVE-2026-23950Jan 20, 2026
    affected < 2.331.0-r1fixed 2.331.0-r1

    node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS AP

  • CVE-2026-23745Jan 16, 2026
    affected < 2.331.0-r1fixed 2.331.0-r1

    node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading t

  • CVE-2025-64756Nov 17, 2025
    affected < 2.331.0-r0fixed 2.331.0-r0

    Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, the glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names.

  • CVE-2025-64118MedOct 30, 2025
    affected < 0fixed 0

    node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

Page 2 of 2