CVE-2026-31802

About vulnerability

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

Affected product:

AlmaLinux 9.2 ESU , Alpine Linux 3.18 ELS , Amazon Linux 2 ELS , CentOS 6 ELS , CentOS 7 ELS , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , CloudLinux 7 ELS , Debian 10 ELS , Next.js , Node.js , Oracle Linux 6 ELS , Oracle Linux 7 ELS , RHEL 7 ELS , React , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , Ubuntu 20.04 ELS , c12 , cacache , giget , libcipm , libnpm , make-fetch-happen , ng-packagr , npm , npm-lifecycle , nuxt , pacote , pdfjs-dist , protractor , remix , sass-loader , storybook , tar , terser-webpack-plugin , webdriver-manager

Affected packages:

tar (+150 more)

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.