npm / tar

node-tar has a race condition leading to uninitialized memory exposure

Modified: 2/4/2026

node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal

Modified: 2/4/2026

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization

Modified: 3/13/2026

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization

Modified: 3/13/2026

Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction

Modified: 2/20/2026

node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

Modified: 2/22/2026

node-tar Symlink Path Traversal via Drive-Relative Linkpath

Modified: 3/13/2026

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Modified: 3/13/2026

Denial of service while parsing a tar file due to lack of folders count validation

Modified: 2/4/2026

Symlink Arbitrary File Overwrite in tar

Modified: 11/8/2023

Arbitrary File Overwrite in tar

Modified: 11/29/2023

tar has Hardlink Path Traversal via Drive-Relative Linkpath

Modified: 3/10/2026

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links

Modified: 3/13/2026

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

Modified: 3/13/2026

Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS

Modified: 3/16/2026

node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

Modified: 6/15/2026