CVE-2026-31802

MEDIUM WAF: High

CVSS 5.5 Published: 2026-03-10

CWE-22

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

WAF Coverage Analysis

Path Traversal High WAF Coverage

OWASP: A01:2021 Broken Access Control

930xxx - Local File Inclusion

Affected Software

Vendor	Product	Version
isaacs	tar	up to 7.5.11

References

github.com (Vendor Advisory)
github.com (Exploit, Vendor Advisory)

Back to CVE Database