Main Vulnerability Database Vulnerabilities #VU123630

#VU123630 Link following in node-tar

Published: March 9, 2026

Vulnerability identifier: #VU123630

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: N/A

CWE-ID: CWE-59

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
node-tar

Software vendor:
isaacs

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to insecure handling of symbolic links inside archives. A remote attacker can supply a specially crafted archive to the application that can overwrite arbitrary files on the system with privileges of the process performing data extraction.

Remediation

Install updates from vendor's website.

External links

https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256

#VU123630 Link following in node-tar

Description

Remediation

External links

Please verify you're human