Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-31802 is a security vulnerability in the node-tar package for Node.js, specifically in versions prior to 7.5.11. The issue arises because the package can be tricked into creating symbolic links (symlinks) that point outside the intended extraction directory when extracting tar archives. This happens due to improper validation of drive-relative symlink targets on Windows systems, such as paths like "C:../../../target.txt".'}, {'type': 'paragraph', 'content': 'The vulnerability allows an attacker to craft a malicious tar archive containing symlinks that escape the extraction directory, enabling overwriting of arbitrary files outside the current working directory during normal extraction.'}, {'type': 'paragraph', 'content': 'The root cause is that the extraction logic validates the original symlink path before removing the drive letter, causing the path to be incorrectly treated as safe, while the actual symlink is created with a rewritten path that points outside the extraction root.'}, {'type': 'paragraph', 'content': 'This vulnerability was fixed in version 7.5.11 by enforcing strict path normalization and validation to reject symlinks that attempt to escape the extraction directory.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts if you use the node-tar package to extract untrusted tar archives. An attacker can craft a malicious tarball that creates symlinks pointing outside the extraction directory, allowing them to overwrite arbitrary files on your system.

The file overwrite occurs with the permissions of the process performing the extraction, potentially leading to unauthorized modification of critical files.

Such an exploit can be used to compromise system integrity by replacing or modifying files outside the intended directory, which can lead to further attacks or system instability.

This is particularly risky in environments where tarballs are extracted automatically, such as CLI tools, build or update pipelines, or services that import user-supplied archives.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting tar archives for symlink entries that use drive-relative paths (e.g., paths starting with a drive letter like C:) which point outside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'During extraction, warnings or errors such as "ENOENT: no such file or directory, link" or messages indicating "linkpath escapes extraction directory" may appear, signaling attempts to create malicious symlinks.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system, you can monitor extraction logs for such warnings or errors.'}, {'type': 'paragraph', 'content': 'While no specific commands are provided in the resources, a practical approach is to manually inspect tar archives before extraction using commands like:'}, {'type': 'list_item', 'content': "tar -tvf archive.tar | grep -i 'link' # Lists symlink entries in the archive"}, {'type': 'list_item', 'content': "tar -tvf archive.tar | grep -E '^[l]' # Lists symlinks specifically"}, {'type': 'paragraph', 'content': 'Then, examine the link targets for drive-relative paths (e.g., starting with a drive letter and colon) that could escape the extraction directory.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the node-tar package to version 7.5.11 or later, where this vulnerability is fixed.

The fix enforces strict path normalization and validation during tar extraction, preventing symlink targets from escaping the extraction directory.

Until the upgrade is applied, avoid extracting untrusted tar archives, especially those that may contain symlinks with drive-relative paths.

Additionally, monitor extraction processes for warnings or errors indicating symlink path traversal attempts.

Useful 0 Not Useful 0