node-tar Symlink Path Traversal via Drive-Relative Linkpath

🗓️ 10 Mar 2026 23:44:58Reported by GitHub Advisory DatabaseType

Tar extraction can overwrite files outside the extraction directory using a drive-relative symlink target.

Reporter	Title	Published	Views	Family All 78
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to multiple node modules.	21 Apr 202618:47	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses tar-7.5.9.tgz which is vulnerable to CVE-2026-31802	5 May 202611:29	–	ibm
IBM Security Bulletins	Security Bulletin: Security Vulnerabilities affect IBM Voice Gateway	31 Mar 202615:54	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution, loss of confidentiality and denial of service	6 May 202613:05	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Watsonx BI Assistant for CP4D	27 Apr 202616:13	–	ibm
IBM Security Bulletins	Security Bulletin: Maximo AI Service uses multiple third party dependencies which is vulnerable to multiple CVEs.	27 Apr 202607:43	–	ibm
GithubExploit	Exploit for CVE-2026-31802	14 Mar 202622:04	–	githubexploit
GithubExploit	Exploit for Path Traversal in Isaacs Tar	28 Mar 202620:49	–	githubexploit
ATTACKERKB	CVE-2026-31802	9 Mar 202621:11	–	attackerkb
AlpineLinux	CVE-2026-31802	9 Mar 202621:11	–	alpinelinux

Vulners

Node

tar_project tarRange≤7.5.10npm

Source	Link
github	www.github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-31802
github	www.github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad
github	www.github.com/advisories/GHSA-9ppj-qmqm-q256

10 Mar 2026 23:44Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.15.5

CVSS 48.2

EPSS0.00009

SSVC