Description
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Mitigation
Minimal update. May introduce new vulnerabilities or breaking changes.
|
 debian 11 | | =6.0.5+ds1+~cs11.3.9-1 || =6.0.5+ds1+~cs11.3.9-1+deb11u1 || =6.0.5+ds1+~cs11.3.9-1+deb11u2 || >=0 <6.0.5+ds1+~cs11.3.9-1+deb11u3 | 6.0.5+ds1+~cs11.3.9-1+deb11u3 |
debian 12 | | =6.1.13+~cs7.0.5-1 || =6.1.13+~cs7.0.5-2 || =6.1.13+~cs7.0.5-3 || =6.1.13+~cs7.0.5-4 || =6.2.1+ds1+~cs6.1.13-1 || =6.2.1+ds1+~cs6.1.13-10 || =6.2.1+ds1+~cs6.1.13-2 || =6.2.1+ds1+~cs6.1.13-3 || =6.2.1+ds1+~cs6.1.13-4 || =6.2.1+ds1+~cs6.1.13-5 || =6.2.1+ds1+~cs6.1.13-6 || =6.2.1+ds1+~cs6.1.13-7 || =6.2.1+ds1+~cs6.1.13-8 || =6.2.1+ds1+~cs6.1.13-9 || =6.2.1+~cs7.0.8-1 | - |
debian 14 | | =6.2.1+ds1+~cs6.1.13-1 || =6.2.1+ds1+~cs6.1.13-2 || =6.2.1+ds1+~cs6.1.13-3 || =6.2.1+ds1+~cs6.1.13-4 || =6.2.1+ds1+~cs6.1.13-5 || =6.2.1+ds1+~cs6.1.13-6 || =6.2.1+ds1+~cs6.1.13-7 || =6.2.1+~cs7.0.8-1 || >=0 <6.2.1+ds1+~cs6.1.13-8 | 6.2.1+ds1+~cs6.1.13-8 |
debian 13 | | =6.2.1+~cs7.0.8-1 || >=0 <6.2.1+~cs7.0.8-1+deb13u1 | 6.2.1+~cs7.0.8-1+deb13u1 |
 npm | | | 7.5.10 |
