node-tar — CVE history (npm)
node-tar
14 CVEs affect the node-tar npm package (highest CVSS 8.8). Latest disclosed: 2026-06-22. Full CVE history sourced from NVD.
Summary
- Package
node-tar(npm)- Total CVEs
14- Actively exploited (CISA KEV)
- 0
- Highest CVSS
8.8- Latest disclosed
- 2026-06-22
Recent CVEs (top 14)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-53655 | Medium | 5.5 | — | 2026-06-22 | node-tar is a full-featured Tar for Node.js. |
CVE-2026-31802 | Medium | 5.5 | — | 2026-03-10 | node-tar is a full-featured Tar for Node.js. |
CVE-2026-29786 | Medium | 6.3 | — | 2026-03-07 | node-tar is a full-featured Tar for Node.js. |
CVE-2026-26960 | High | 7.1 | — | 2026-02-20 | node-tar is a full-featured Tar for Node.js. |
CVE-2026-24842 | High | 8.2 | — | 2026-01-28 | node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. |
CVE-2026-23950 | High | 8.8 | — | 2026-01-20 | node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. |
CVE-2026-23745 | Medium | 6.1 | — | 2026-01-16 | node-tar is a Tar for Node.js. |
CVE-2025-64118 | — | — | — | 2025-10-30 | node-tar is a Tar for Node.js. |
CVE-2024-28863 | Medium | 6.5 | — | 2024-03-21 | node-tar is a Tar for Node.js. |
CVE-2021-37713 | High | 8.2 | — | 2021-08-31 | The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. |
CVE-2021-37712 | High | 8.2 | — | 2021-08-31 | The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. |
CVE-2021-37701 | High | 8.2 | — | 2021-08-31 | The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. |
CVE-2021-32804 | High | 8.2 | — | 2021-08-03 | The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. |
CVE-2021-32803 | High | 8.2 | — | 2021-08-03 | The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-23950 | High | 8.8 | — | 2026-01-20 | node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. |
CVE-2026-24842 | High | 8.2 | — | 2026-01-28 | node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. |
CVE-2021-37713 | High | 8.2 | — | 2021-08-31 | The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. |
CVE-2021-37712 | High | 8.2 | — | 2021-08-31 | The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. |
CVE-2021-37701 | High | 8.2 | — | 2021-08-31 | The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. |
CVE-2021-32804 | High | 8.2 | — | 2021-08-03 | The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. |
CVE-2021-32803 | High | 8.2 | — | 2021-08-03 | The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. |
CVE-2026-26960 | High | 7.1 | — | 2026-02-20 | node-tar is a full-featured Tar for Node.js. |
CVE-2024-28863 | Medium | 6.5 | — | 2024-03-21 | node-tar is a Tar for Node.js. |
CVE-2026-29786 | Medium | 6.3 | — | 2026-03-07 | node-tar is a full-featured Tar for Node.js. |