Root Package Tar: Unpatched Versions Leave System to Root Access

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

Root Package Tar: Unpatched Versions Leave System to Root Access

ROOT-APP-NPM-GHSA-qffp-2rhf-9h96

Summary

A security patch has been released for Root's tar package, which fixes a vulnerability that could allow an attacker to gain unauthorized access to a system. If you're using an unpatched version of the package, update to the latest version to protect your system. This patch is available for Root users.

What to do

Update rootio @rootio/tar to version 6.2.1-root.io.5.

Affected software

Vendor	Product	Affected versions	Fix available
rootio	@rootio/tar	<= 6.2.1-root.io.5	6.2.1-root.io.5

Original title

GHSA-qffp-2rhf-9h96 in @rootio/tar - Patched by Root

Original description

Root has patched GHSA-qffp-2rhf-9h96 in the @rootio/tar package for Root:npm. Multiple fixed versions available.

Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026