npm (Node.js)

tar

tar has 10 known security vulnerabilities in npm (Node.js). Upgrade to version 7.5.8 or later to resolve all known issues. Data sourced from OSV, enriched with EPSS exploit probability and CISA KEV.

10 Vulnerabilities

Recommended safe version: 7.5.8

Upgrading to 7.5.8 or later resolves all 10 known vulnerabilities in tar. Run: npm install tar@7.5.8

Is tar in your project?

Check if you're affected and upgrade to 7.5.8 to stay secure.

Scan Now Create Free Account to Monitor

Total

Critical

High

Medium

Low

Vulnerabilities

10 unique vulnerabilities — sorted by severity. Click a CVE/GHSA ID for full details.

CVE / GHSA	Severity	CVSS	Summary	Affected	Fixed In
GHSA-34x7-hfp2-rc4v node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal	HIGH	3.1	node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal	All versions	7.5.7
GHSA-3jfq-g458-7qm9 Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization	HIGH	3.1	Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization	All versions	3.2.2, 4.4.14, 5.0.6 (+1 more)
GHSA-5955-9wpr-37jh Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization	HIGH	3.1	Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization	All versions	4.4.18, 5.0.10, 6.1.9
GHSA-83g3-92jg-28cx Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction	HIGH	3.1	Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction	All versions	7.5.8
GHSA-8qq5-rm4j-mr97 node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization	HIGH	4.0	node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization	All versions	7.5.3
GHSA-9r2w-394v-53qc Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links	HIGH	3.1	Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links	All versions	4.4.16, 5.0.8, 6.1.7
GHSA-qq89-hq3f-393p Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links	HIGH	3.1	Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links	All versions	4.4.18, 5.0.10, 6.1.9
GHSA-r628-mhmh-qjhw Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning	HIGH	3.1	Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning	All versions	3.2.3, 4.4.15, 5.0.7 (+1 more)
GHSA-r6q2-hw4h-h46w Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS	HIGH	3.1	Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS	All versions	7.5.4
GHSA-f5x3-32g6-xq36 Denial of service while parsing a tar file due to lack of folders count validation	MODERATE	3.1	Denial of service while parsing a tar file due to lack of folders count validation	All versions	6.2.1

About This Data

Vulnerability data for tar is sourced from the Open Source Vulnerability (OSV) database, aggregating reports from GitHub Advisory Database, NIST NVD, and ecosystem-specific sources.

CVSS (Common Vulnerability Scoring System) scores reflect exploitability and impact. EPSS (Exploit Prediction Scoring System) scores indicate the probability of exploitation within the next 30 days. Vulnerabilities marked with are listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Check Your Dependencies

Scan your project to check if you're using a vulnerable version of tar.

Scan Now - It's Free Create Free Account

Data from OSV DatabaseUpdated daily200K+ vulnerabilities indexed