27 matches found
CVE-2026-59875
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in src/pax.ts, allowing a crafted archive with values to reach fs.lstat or fs.open and terminate the process with an uncaught exception. This issue is...
CVE-2026-59871
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handling such as normalizeWindowsPathentry.path.split'/' to throw an uncaught TypeError. This issue is...
EUVD-2026-42308
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handling such as normalizeWindowsPathentry.path.split'/' to throw an uncaught TypeError. This issue is...
CVE-2026-59875 node-tar: Uncaught Exception DoS via NUL byte in PAX path/linkpath records
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in src/pax.ts, allowing a crafted archive with values to reach fs.lstat or fs.open and terminate the process with an uncaught exception. This issue is...
CVE-2026-59875 node-tar: Uncaught Exception DoS via NUL byte in PAX path/linkpath records
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in src/pax.ts, allowing a crafted archive with values to reach fs.lstat or fs.open and terminate the process with an uncaught exception. This issue is...
CVE-2026-59875
CVE-2026-59875 affects the Node.js tar library node-tar prior to 7.5.17. The root cause is that NUL bytes are not stripped from PAX path and linkpath records in src/pax.ts, which can allow a crafted archive to reach fs.lstat or fs.open and terminate the process with an uncaught exception. The iss...
Atlassian Jira Service Management Data Center and Server 5.15.2 < 10.3.18 / 10.4.x < 11.3.3 (JSDSERVER-16528)
The version of Atlassian Jira Service Management Data Center and Server Jira Service Desk running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16528 advisory. - node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link...
tar has Hardlink Path Traversal via Drive-Relative Linkpath
Summary tar npm can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x extraction. Details The extraction logic in UnpackSTRIPABSOLUTEPATH chec...
Important: nodejs24
Issue Overview: node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to...
Important: nodejs20
Issue Overview: node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to...
Symlink Poisoning
node-tar is vulnerable to Symlink Poisoning. The vulnerability is due to insufficient sanitization of hardlink and symlink linkpath values during archive extraction, where malicious tar entries can bypass the extraction root restriction and overwrite arbitrary files or create dangerous symlinks...
CVE-2026-23745
A flaw was found in the node-tar library. This vulnerability allows an attacker to craft malicious archives that, when extracted, can bypass intended security restrictions. This leads to arbitrary file overwrite and symlink poisoning, potentially allowing unauthorized modification of files on the...
Exploit for CVE-2026-23745
CVE-2026-23745: node-tar Arbitrary File Overwrite Research:...
Linux Distros Unpatched Vulnerability : CVE-2026-23745
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false...
DEBIAN-CVE-2026-23745
node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...
CVE-2026-23745
node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...
CVE-2026-23745
node-tar (Tar for Node.js) vulnerability CVE-2026-23745: the library fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false, allowing bypass of extraction root restrictions and leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning ...
CVE-2026-23745
node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...
CVE-2026-23745
node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...
CVE-2026-23745
node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwri...