VDB
DEBIAN-CVE-2026-31802
DEBIAN-CVE-2026-31802
PUBLISHED
CVSS 5.5 MEDIUM
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Risk Scores
CVSS v3.1
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:14 | node-tar | 0, 6.2.1+ds1+~cs6.1.13-2, 6.2.1+ds1+~cs6.1.13-4 |
| Debian:11 | node-tar | 0, 6.0.5+ds1+~cs11.3.9-1, 6.0.5+ds1+~cs11.3.9-1+deb11u1 |
Timeline
- Mar 10, 2026 CVE Published
- Apr 29, 2026 CVE Updated