Security: isaacs/node-tar
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Uncaught Exception DoS via NUL byte in PAX path/linkpath recordsGHSA-gvwx-54wh-qm9j published
Jun 25, 2026 by isaacsModerate -
node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)GHSA-vmf3-w455-68vh published
Jun 1, 2026 by isaacsModerate -
Process crash via PAX numeric path type confusionGHSA-w8wr-v893-vjvp published
Jun 27, 2026 by isaacsModerate -
Negative tar entry size causes infinite loop in archive replaceGHSA-8x88-c5mf-7j5w published
Jun 27, 2026 by isaacsHigh -
Symlink Path Traversal via Drive-Relative LinkpathGHSA-9ppj-qmqm-q256 published
Mar 9, 2026 by isaacsHigh -
Hardlink Path Traversal via Drive-Relative LinkpathGHSA-qffp-2rhf-9h96 published
Mar 4, 2026 by isaacsHigh -
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar ExtractionGHSA-83g3-92jg-28cx published
Feb 16, 2026 by isaacsHigh -
Decompression/parse DoS via unlimited inputGHSA-23hp-3jrh-7fpw published
Jun 27, 2026 by isaacsCritical -
Arbitrary File Read/Overwrite via Hardlink Path Traversal in node-tarGHSA-34x7-hfp2-rc4v published
Jan 27, 2026 by isaacsHigh -
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFSGHSA-r6q2-hw4h-h46w published
Jan 19, 2026 by isaacsHigh