CVE-2026-31802 — MEDIUM (5.5)

Q: How severe is CVE-2026-31802?

CVE-2026-31802 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-31802?

Check the references section above for vendor advisories and patch information. Affected products include: Isaacs Tar.

Vulnerability Description

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Isaacs	Tar	< 7.5.11

Related Weaknesses (CWE)

CWE-22

References

https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6Vendor Advisory
https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256ExploitVendor Advisory
https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256ExploitVendor Advisory

FAQ

What is CVE-2026-31802?

CVE-2026-31802 is a vulnerability with a CVSS score of 5.5 (MEDIUM). node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink ta...

How severe is CVE-2026-31802?

CVE-2026-31802 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-31802?

Check the references section above for vendor advisories and patch information. Affected products include: Isaacs Tar.