Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
npm's tar tool can extract files outside intended directories
CVE-2026-31802
GHSA-9ppj-qmqm-q256
Summary
A bug in older versions of npm's tar tool could allow malicious files to be extracted outside of their intended directory, potentially leading to file overwrite attacks. This affects older versions of the tool, but has been fixed in version 7.5.11 and later. To stay secure, upgrade to the latest version of npm's tar tool.
What to do
- Update tar to version 7.5.11.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | tar | <= 7.5.10 | 7.5.11 |
Original title
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink...
Original description
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
nvd CVSS4.0
8.2
Vulnerability type
CWE-22
Path Traversal
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026