Lucene search
K

31 matches found

Debian CVE
Debian CVE
added 2026/03/20 7:11 a.m.5 views

CVE-2026-33056

tar-rs is a tar archive reading/writing library for Rust. In versions 0.4.44 and below, when unpacking a tar archive, the tar crate's unpackdir function uses fs::metadata to check whether a path that already exists is a directory. Because fs::metadata follows symbolic links, a crafted tarball...

6.5CVSS5.5AI score0.00379EPSS
Exploits1
OSV
OSV
added 2026/02/20 2:16 a.m.6 views

DEBIAN-CVE-2026-26960

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting use...

7.1CVSS6.2AI score0.00288EPSS
Exploits1References1
OSV
OSV
added 2026/02/20 2:16 a.m.5 views

UBUNTU-CVE-2026-26960

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting use...

7.1CVSS5.9AI score0.00288EPSS
Exploits1References5
Positive Technologies
Positive Technologies
added 2026/02/18 12:0 a.m.8 views

PT-2026-20374

Name of the Vulnerable Software and Affected Versions node-tar versions 7.5.7 and below node-tar version 7.5.8 Description The node-tar package contains a flaw where an attacker-controlled archive, when extracted using default options, can create a hardlink inside the extraction directory that...

8.8CVSS5.6AI score0.0034EPSS
Exploits1References222
Veracode
Veracode
added 2026/01/21 3:7 p.m.6 views

Symlink Poisoning

node-tar is vulnerable to Symlink Poisoning. The vulnerability is due to insufficient sanitization of hardlink and symlink linkpath values during archive extraction, where malicious tar entries can bypass the extraction root restriction and overwrite arbitrary files or create dangerous symlinks...

8.2CVSS5.7AI score0.00334EPSS
Exploits2References13Affected Software1
OSV
OSV
added 2026/01/16 10:16 p.m.12 views

UBUNTU-CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...

8.2CVSS6.7AI score0.00334EPSS
Exploits2References4
OSV
OSV
added 2026/01/16 9:16 p.m.1 views

GHSA-8QQ5-RM4J-MR97 node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

Summary The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and...

8.2CVSS5.9AI score0.00334EPSS
Exploits2References4
Github Security Blog
Github Security Blog
added 2026/01/16 9:16 p.m.26 views

node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

Summary The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and...

8.2CVSS7.6AI score0.00334EPSS
Exploits2References4Affected Software1
Positive Technologies
Positive Technologies
added 2026/01/16 12:0 a.m.6 views

PT-2026-3329

Name of the Vulnerable Software and Affected Versions node-tar versions = 7.5.2 Description The node-tar library fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false, which is the default secure behavior. This allows malicious archives to bypass...

8.2CVSS5.3AI score0.00334EPSS
Exploits2References239
Github Security Blog
Github Security Blog
added 2019/09/17 11:21 p.m.24 views

Symlink Arbitrary File Overwrite in bower

Versions of bower prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory. Recommendation Update to version 1.8.8 or later...

7.5CVSS4.8AI score0.02566EPSS
Exploits1References9Affected Software1
Node.js
Node.js
added 2015/11/03 7:15 a.m.83 views

Symlink Arbitrary File Overwrite

Overview Versions of tar prior to 2.0.0 are affected by an arbitrary file write vulnerability. The vulnerability occurs because tar does not verify that extracted symbolic links to not resolve to targets outside of the extraction root directory. Recommendation Update to version 2.0.0 or later...

5CVSS4.2AI score0.04912EPSS
Exploits0Affected Software1
Rows per page
Query Builder