CVE-2026-31802
Directory Traversal via Symlink in node-tar Allows File Overwrite
Publication date: 2026-03-10
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| isaacs | tar | to 7.5.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-31802 is a security vulnerability in the node-tar package for Node.js, specifically in versions prior to 7.5.11. The issue arises because the package can be tricked into creating symbolic links (symlinks) that point outside the intended extraction directory when extracting tar archives. This happens due to improper validation of drive-relative symlink targets on Windows systems, such as paths like "C:../../../target.txt".'}, {'type': 'paragraph', 'content': 'The vulnerability allows an attacker to craft a malicious tar archive containing symlinks that escape the extraction directory, enabling overwriting of arbitrary files outside the current working directory during normal extraction.'}, {'type': 'paragraph', 'content': 'The root cause is that the extraction logic validates the original symlink path before removing the drive letter, causing the path to be incorrectly treated as safe, while the actual symlink is created with a rewritten path that points outside the extraction root.'}, {'type': 'paragraph', 'content': 'This vulnerability was fixed in version 7.5.11 by enforcing strict path normalization and validation to reject symlinks that attempt to escape the extraction directory.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can have serious impacts if you use the node-tar package to extract untrusted tar archives. An attacker can craft a malicious tarball that creates symlinks pointing outside the extraction directory, allowing them to overwrite arbitrary files on your system.
The file overwrite occurs with the permissions of the process performing the extraction, potentially leading to unauthorized modification of critical files.
Such an exploit can be used to compromise system integrity by replacing or modifying files outside the intended directory, which can lead to further attacks or system instability.
This is particularly risky in environments where tarballs are extracted automatically, such as CLI tools, build or update pipelines, or services that import user-supplied archives.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting tar archives for symlink entries that use drive-relative paths (e.g., paths starting with a drive letter like C:) which point outside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'During extraction, warnings or errors such as "ENOENT: no such file or directory, link" or messages indicating "linkpath escapes extraction directory" may appear, signaling attempts to create malicious symlinks.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system, you can monitor extraction logs for such warnings or errors.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, a practical approach is to manually inspect tar archives before extraction using commands like:'}, {'type': 'list_item', 'content': "tar -tvf archive.tar | grep -i 'link' # Lists symlink entries in the archive"}, {'type': 'list_item', 'content': "tar -tvf archive.tar | grep -E '^[l]' # Lists symlinks specifically"}, {'type': 'paragraph', 'content': 'Then, examine the link targets for drive-relative paths (e.g., starting with a drive letter and colon) that could escape the extraction directory.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the node-tar package to version 7.5.11 or later, where this vulnerability is fixed.
The fix enforces strict path normalization and validation during tar extraction, preventing symlink targets from escaping the extraction directory.
Until the upgrade is applied, avoid extracting untrusted tar archives, especially those that may contain symlinks with drive-relative paths.
Additionally, monitor extraction processes for warnings or errors indicating symlink path traversal attempts.