Description
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Mitigation
Minimal update. May introduce new vulnerabilities or breaking changes.
|
 debian 12 | | =6.1.13+~cs7.0.5-1 || =6.1.13+~cs7.0.5-2 || =6.1.13+~cs7.0.5-3 || =6.1.13+~cs7.0.5-4 || =6.2.1+ds1+~cs6.1.13-1 || =6.2.1+ds1+~cs6.1.13-10 || =6.2.1+ds1+~cs6.1.13-2 || =6.2.1+ds1+~cs6.1.13-3 || =6.2.1+ds1+~cs6.1.13-4 || =6.2.1+ds1+~cs6.1.13-5 || =6.2.1+ds1+~cs6.1.13-6 || =6.2.1+ds1+~cs6.1.13-7 || =6.2.1+ds1+~cs6.1.13-8 || =6.2.1+ds1+~cs6.1.13-9 || =6.2.1+~cs7.0.8-1 | - |
debian 11 | | =6.0.5+ds1+~cs11.3.9-1 || =6.0.5+ds1+~cs11.3.9-1+deb11u1 || =6.0.5+ds1+~cs11.3.9-1+deb11u2 || >=0 <6.0.5+ds1+~cs11.3.9-1+deb11u3 | 6.0.5+ds1+~cs11.3.9-1+deb11u3 |
 npm | | | 7.5.8 |
debian 14 | | =6.2.1+ds1+~cs6.1.13-1 || =6.2.1+ds1+~cs6.1.13-2 || =6.2.1+ds1+~cs6.1.13-3 || =6.2.1+ds1+~cs6.1.13-4 || =6.2.1+ds1+~cs6.1.13-5 || =6.2.1+ds1+~cs6.1.13-6 || =6.2.1+ds1+~cs6.1.13-7 || =6.2.1+~cs7.0.8-1 || >=0 <6.2.1+ds1+~cs6.1.13-8 | 6.2.1+ds1+~cs6.1.13-8 |
debian 13 | | =6.2.1+~cs7.0.8-1 || >=0 <6.2.1+~cs7.0.8-1+deb13u1 | 6.2.1+~cs7.0.8-1+deb13u1 |
