tar
npm12 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting tarpage 1 of 1
- CVE-2015-8860HIGHCVSS 7.5EG 7.5✓ Fixed in 2.0.02017-01-23
The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.
- CVE-2018-20834HIGHCVSS 7.5EG 7.5✓ Fixed in 2.2.22019-04-30
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with…
- CVE-2021-32803HIGHCVSS 8.2EG 8.2✓ Fixed in 6.1.22021-08-03
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location woul…
- CVE-2021-32804HIGHCVSS 8.2EG 8.2✓ Fixed in 6.1.12021-08-03
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file…
- CVE-2021-37701HIGHCVSS 8.2EG 8.2✓ Fixed in 6.1.72021-08-31
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by…
- CVE-2021-37712HIGHCVSS 8.2EG 8.2✓ Fixed in 6.1.92021-08-31
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified b…
- CVE-2021-37713HIGHCVSS 8.2EG 8.2✓ Fixed in 6.1.92021-08-31
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of…
- CVE-2024-28863MEDIUMCVSS 6.5EG 6.5✓ Fixed in 6.2.12024-03-21
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system runni…
- CVE-2025-64118MEDIUMCVSS 6.1EG 0.0✓ Fixed in 7.5.22025-10-30
vulnerable: 7.5.1
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fi…
- CVE-2026-23745MEDIUMCVSS 6.1EG 6.1✓ Fixed in 7.5.32026-01-16
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass t…
- CVE-2026-23950HIGHCVSS 8.8EG 8.8✓ Fixed in 7.5.42026-01-20
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-…
- CVE-2026-24842HIGHCVSS 8.2EG 8.2✓ Fixed in 7.5.72026-01-28
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacke…
Check whether tar is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for tar CVEs against the assets you own.
Start Free Scan →