Symlink Vulnerability in node-tar for Node.js by Isaacs
CVE-2026-31802

8.2HIGH

Key Information:

Vendor: Isaacs
Status: Node-tar
Vendor: CVE Published:; 9 March 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-31802?

node-tar, a comprehensive Tar utility for Node.js, is susceptible to a symlink vulnerability that allows an attacker to craft a drive-relative symlink target. This exploitation can lead to the creation of symlinks that point to paths outside the targeted extraction directory. As a result, during the normal extraction process using tar.x(), files can be overwritten outside the current working directory. This issue was resolved in version 7.5.11, reinforcing the importance of using updated packages to maintain security integrity.

Affected Version(s)

node-tar < 7.5.11

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-31802
Created by Jvr2022

npm-tar-traversal-scanner
Created by ridhinva

References

https://github.com/isaacs/node-tar/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/isaacs/node-tar/commit/f48b5fa3b7985dd...

x_refsource_MISC

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Mar 15, 2026
👾
Exploit known to exist
Mar 15, 2026
Vulnerability published
Mar 9, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31802 Data

JSON