CVE-2026-31802 - Vulnerability Details

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Isaacs	Tar

No data.

References

Link	Providers
https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad
https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256

History

Tue, 10 Mar 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Isaacs Isaacs tar
Vendors & Products		Isaacs Isaacs tar

Mon, 09 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Title		node-tar Symlink Path Traversal via Drive-Relative Linkpath
Weaknesses		CWE-22
References		https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256
Metrics		cvssV4_0 `{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-09T21:11:56.668Z

Updated: 2026-03-10T14:56:35.229Z

Reserved: 2026-03-09T16:33:42.913Z

Link: CVE-2026-31802

Vulnrichment

Updated: 2026-03-10T14:56:23.927Z

NVD

Status : Received

Published: 2026-03-10T07:44:58.020

Modified: 2026-03-10T07:44:58.020

Link: CVE-2026-31802

Redhat

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact High

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object