Snyk
security.snyk.io › snyk vulnerability database › npm
tar | Snyk
Security vulnerabilities and package health score for npm package tar
CVE Details
cvedetails.com › vulnerability-list › vendor_id-72 › product_id-1394 › GNU-TAR.html
https://www.cvedetails.com/vulnerability-list/vend...
The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/".
[BUG] vulnerability in tar dependency
Is there an existing issue for this? I have searched the existing issues This issue exists in the latest npm version I am using the latest npm Current Behavior Latest npm version uses the dependenc... More on github.com
14
January 18, 2026npm install - How to fix NPM package Tar, with high vulnerability about Arbitrary File Overwrite, when package is up to date? - Stack Overflow
I just installed Flickity from NPM and got an NPM Audit Security Report after running npm audit stating that I have a high vulnerability issue regarding Arbitrary File Overwrite on package tar whic... More on stackoverflow.com
[Security] Vulnerability in `tar`
Do not open a PR. We appreciate the enthusiasm but the fix is more complicated than it appears. We're considering our options. See https://www.npmjs.com/advisories/803 Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File ... More on github.com
40
April 15, 2019tar: Directory traversal vulnerability may lead to command execution / privilege escalation
Most of the file system is mounted read-only. However, we can overwrite /etc/shellrc to gain privileges next time root uses /bin/sh More on github.com
17
November 8, 2020Sweet
sweet.security › blog › python-tar-file-vulnerability-cve-2024-12718-what-you-need-to-know
Python Tar-File Vulnerability (CVE-2024-12718)
June 4, 2025 - Python versions 3.12 and newer are affected. The vulnerability specifically impacts use of the tarfile module when extracting archives using filter="data" (the default in Python 3.14+) or filter="tar".
GitHub
github.com › npm › cli › issues › 8917
[BUG] vulnerability in tar dependency · Issue #8917 · npm/cli
January 18, 2026 - Latest npm version uses the dependency: tar@7.5.2. During a CVE scan we found HIGH CVE for tar@7.5.2 (GHSA-8qq5-rm4j-mr97). The remediation is upgrading tar version to 7.5.3. Please upgrade to avoid exposure to the vulnerability.
Author chkp-eladya
Security Compass
securitycompass.com › home › kontra › what is the tarfile vulnerability in python?
What Is The Tarfile Vulnerability in Python? - Kontra Hands-on Labs
November 26, 2024 - In this post, we’ll delve into ... vulnerability in Python is a path traversal vulnerability that allows attackers to overwrite arbitrary files when extracting untrusted tar archives....
Trellix
trellix.com › blogs › research › tarfile-exploiting-the-world
Tarfile: Exploiting the World With a 15-Year-Old Vulnerability
The vulnerability is a path traversal attack in the extract and extractall functions in the tarfile module that allow an attacker to overwrite arbitrary files by adding the “..” sequence to filenames in a TAR archive.
CVE Details
cvedetails.com › product › 1394 › GNU-TAR.html
GNU TAR security vulnerabilities, CVEs, versions and CVE reports
This page lists vulnerability statistics for all versions of GNU » TAR. Vulnerability statistics provide a quick overview for security vulnerabilities of TAR.
Top answer 1 of 4
20
The issue is being tracked on the gitgub page
https://github.com/sass/node-sass/issues/2625
2 of 4
5
Please update the value for "tar" in your "package-lock.json" file. And to verify, run "[npm audit][1]".
"tar": {
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "value",
"dev": true,
"optional": true,
"requires": {
"block-stream": "*",
"fstream": "^1.0.2",
"inherits": "2"
}
}
GitHub
github.com › google › security-research › security › advisories › GHSA-xrg4-qp5w-2c3w
tar-fs Link Directory Traversal Vulnerability
The latest versions of tar-fs v3.0.8, v2.1.2 and v1.16.4 are all vulnerable to arbitrary file writes via a hard link.
Ubuntu
ubuntu.com › security › notices › USN-6543-1
USN-6543-1: GNU Tar vulnerability | Ubuntu security notices | Ubuntu
It was discovered that tar incorrectly handled extended attributes in PAX archives.
Seal
seal.security › blog › a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs
A Link To The Past: Uncovering a New Vulnerability in tar-fs
December 23, 2025 - This vulnerability made it so that during extraction of an archive tar-fs could create a hardlink to an arbitrary path on the filesystem, outside the destination folder.
Ubuntu
ubuntu.com › security › notices › USN-8138-2
USN-8138-2: tar-rs vulnerability | Ubuntu security notices | Ubuntu
1 week ago - It was discovered that tar-rs incorrectly handled symlinks when unpacking a tar archive.
GitHub
github.com › sass › node-sass › issues › 2625
[Security] Vulnerability in `tar` · Issue #2625 · sass/node-sass
April 15, 2019 - Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite.
Author asbjornh
GitHub
github.com › SerenityOS › serenity › issues › 3991
tar: Directory traversal vulnerability may lead to command execution / privilege escalation · Issue #3991 · SerenityOS/serenity
November 8, 2020 - tar: Directory traversal vulnerability may lead to command execution / privilege escalation#3991 · Copy link · Labels · security · bcoles · opened · on Nov 8, 2020 · Issue body actions · $ cat shellrc /bin/id $ ./evilarc.py -f evil.tar.gz ...
Author bcoles
F5
my.f5.com › manage › s › article › K000139643
K000139643: Node-tar vulnerability CVE-2024-28863
May 16, 2024 - Loading · ×Sorry to interrupt · Refresh
GitHub
github.blog › home › security › vulnerability research › github security update: vulnerabilities in tar and @npmcli/arborist
GitHub security update: Vulnerabilities in tar and @npmcli/arborist - The GitHub Blog
September 8, 2021 - These vulnerabilities may result in arbitrary code execution due to file overwrite and creation when tar is used to extract untrusted tar files or when the npm CLI is used to install untrusted npm packages under certain file system conditions. ...
GitHub
github.com › advisories › GHSA-pq67-2wwv-3xjx
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File · CVE-2024-12905 · GitHub Advisory Database · GitHub
March 27, 2025 - An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result ...
Kaspersky
kaspersky.com › blog › tarfile-15-year-old-vulnerability › 45703
Vulnerability in tarfile module | Kaspersky official blog
September 30, 2022 - In September 2022, Trellix published ... language and can be used by anyone. The vulnerability allows an arbitrary file to be written to an arbitrary folder on the hard drive, and in some cases it also allows for malicious code ...
CVE Details
cvedetails.com › vulnerability-list › vendor_id-72 › product_id-1394 › GNU-TAR.html
GNU TAR : Security vulnerabilities, CVEs
... Directory traversal vulnerability in the safer_name_suffix function in GNU tar 1.14 through 1.29 might allow remote attackers to bypass an intended protection mechanism and write to arbitrary files via vectors related to improper sanitization of the file_name parameter, aka POINTYFEATHER.