What is CVE-2026-31802?

CVE-2026-31802 is a vulnerability in Isaacs Node-tar, classified under Path Traversal. Published 2026-03-09.

Is CVE-2026-31802 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Isaacs Node-tar

CVE-2026-31802

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, whi…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (1.0th percentile) — read the EPSS interpretation.

Affected products

Isaacs Node-tar — versions < 7.5.11

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

References

https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256 (x_refsource_CONFIRM)
https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-31802?: CVE-2026-31802 is a vulnerability in Isaacs Node-tar, classified under Path Traversal. Published 2026-03-09.
Is CVE-2026-31802 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.