tar-fs

npm4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting tar-fspage 1 of 1

CVE-2018-20835HIGHCVSS 7.5EG 7.5✓ Fixed in 1.16.2
2019-04-30
A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same n…
CVE-2024-12905HIGHCVSS 7.5EG 7.5✓ Fixed in 3.0.7
2025-03-27
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can resul…
CVE-2025-48387HIGHCVSS 8.7EG 0.0✓ Fixed in 3.0.9
2025-06-02
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and …
CVE-2025-59343HIGHCVSS 8.7EG 0.0✓ Fixed in 1.16.6
2025-09-24
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in …

Check whether tar-fs is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for tar-fs CVEs against the assets you own.

Start Free Scan →