node-tar — CVE history (npm)

node-tar

14 CVEs affect the node-tar npm package (highest CVSS 8.8). Latest disclosed: 2026-06-22. Full CVE history sourced from NVD.

Summary

Package
node-tar (npm)
Total CVEs
14
Actively exploited (CISA KEV)
0
Highest CVSS
8.8
Latest disclosed
2026-06-22

Recent CVEs (top 14)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-53655Medium5.52026-06-22node-tar is a full-featured Tar for Node.js.
CVE-2026-31802Medium5.52026-03-10node-tar is a full-featured Tar for Node.js.
CVE-2026-29786Medium6.32026-03-07node-tar is a full-featured Tar for Node.js.
CVE-2026-26960High7.12026-02-20node-tar is a full-featured Tar for Node.js.
CVE-2026-24842High8.22026-01-28node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic.
CVE-2026-23950High8.82026-01-20node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3.
CVE-2026-23745Medium6.12026-01-16node-tar is a Tar for Node.js.
CVE-2025-641182025-10-30node-tar is a Tar for Node.js.
CVE-2024-28863Medium6.52024-03-21node-tar is a Tar for Node.js.
CVE-2021-37713High8.22021-08-31The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability.
CVE-2021-37712High8.22021-08-31The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability.
CVE-2021-37701High8.22021-08-31The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability.
CVE-2021-32804High8.22021-08-03The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization.
CVE-2021-32803High8.22021-08-03The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection.

All-time worst (top 10 by CVSS)

CVESeverityCVSSKEVPublishedSummary
CVE-2026-23950High8.82026-01-20node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3.
CVE-2026-24842High8.22026-01-28node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic.
CVE-2021-37713High8.22021-08-31The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability.
CVE-2021-37712High8.22021-08-31The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability.
CVE-2021-37701High8.22021-08-31The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability.
CVE-2021-32804High8.22021-08-03The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization.
CVE-2021-32803High8.22021-08-03The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection.
CVE-2026-26960High7.12026-02-20node-tar is a full-featured Tar for Node.js.
CVE-2024-28863Medium6.52024-03-21node-tar is a Tar for Node.js.
CVE-2026-29786Medium6.32026-03-07node-tar is a full-featured Tar for Node.js.