Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

node-tar — Vulnerabilities & Security Advisories 14

All 14 CVE vulnerabilities found in node-tar, with AI-generated Chinese analysis, references, and POCs.

This page documents common weaknesses and security vulnerabilities associated with the node-tar product, a widely used JavaScript implementation of the POSIX Tar format. The content focuses on the CWE-119 class of vulnerabilities, which involves improper restriction of operations within the bounds of a memory buffer, specifically highlighting how this product has been susceptible to maliciously crafted archive files. This aggregation page collects data regarding these security flaws, covering incidents and advisories published between the initial release of the library and recent updates in the current decade. Here, you can discover detailed records of how the vendor has addressed specific security risks, track the history of advisories issued by the node-tar maintainers, and understand the broader implications of buffer-related weakness classes in file parsing libraries. The goal is to provide a clear, factual overview of the security landscape for this specific tool, allowing developers and security analysts to review past incidents, assess the severity of identified issues, and understand the remediation steps that were taken. This resource serves as a reference for understanding the evolution of security practices within the node-tar project, highlighting both the nature of the vulnerabilities found and the responses from the open-source community. It does not cover every single defect but focuses on those relevant to supply chain integrity and file handling security.

Vendor: npm

CVE IDTitleCVSSSeverityPublished
CVE-2026-53655 node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling) CWE-436--2026-06-22
CVE-2026-31802 node-tar Symlink Path Traversal via Drive-Relative Linkpath CWE-22 7.5AIHighAI2026-03-09
CVE-2026-29786 node-tar: Hardlink Path Traversal via Drive-Relative Linkpath CWE-22 7.5 -2026-03-07
CVE-2026-26960 node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction CWE-22 7.1 High2026-02-20
CVE-2026-24842 node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal CWE-22 8.2 High2026-01-28
CVE-2026-23950 node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS CWE-176 8.8 High2026-01-20
CVE-2026-23745 node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization CWE-22 9.1 -2026-01-16
CVE-2025-64118 node-tar vulnerable to race condition leading to uninitialized memory exposure CWE-362 5.3AIMediumAI2025-10-30
CVE-2024-28863 node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation CWE-400 6.5 Medium2024-03-21
CVE-2021-37713 Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization CWE-22 8.2 High2021-08-31
CVE-2021-37701 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links CWE-22 8.2 High2021-08-31
CVE-2021-37712 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links CWE-22 8.2 High2021-08-31
CVE-2021-32804 Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization CWE-22 8.2 High2021-08-03
CVE-2021-32803 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning CWE-22 8.2 High2021-08-03

All 14 known CVE vulnerabilities affecting node-tar with full Chinese analysis, references, and POCs where available.