Isaacs Node-tar
8 CVEs affecting Isaacs Node-tar. Latest disclosed: 2026-03-09. Critical: 0, High: 3.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-23950 | High | 8.8 | 2026-01-20 | node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path col… |
CVE-2026-24842 | High | 8.2 | 2026-01-28 | node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution se… |
CVE-2026-26960 | High | 7.1 | 2026-02-20 | node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink insid… |
CVE-2024-28863 | Medium | 6.5 | 2024-03-21 | node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker wh… |
CVE-2026-31802 | | 2026-03-09 | node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction direc… | |
CVE-2026-29786 | | 2026-03-07 | node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory… | |
CVE-2026-23745 | | 2026-01-16 | node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is… | |
CVE-2025-64118 | | 2025-10-30 | node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file… |