node-tar
Safeguard articles tagged "node-tar" — guides, analysis, and best practices for software supply chain and application security.
5 articles
tar (node-tar) Security Guide (2026)
node-tar is the archive engine underneath npm install itself — and a cluster of path-traversal and symlink CVEs made 'just extracting a tarball' one of the more dangerous operations in the Node.js ecosystem.
Filesystem takeover vulnerabilities in the npm package manager
How npm and node-tar "filesystem takeover" CVEs let malicious packages overwrite files via symlinks and path traversal during install.
node-tar Arbitrary File Write via Symlink Extraction (CVE...
CVE-2021-32803 allows crafted symlinks in tar archives to make node-tar write files outside the extraction directory via malicious npm packages.
node-tar Second Bypass Enabling Arbitrary File Write (CVE...
CVE-2021-32804 let crafted tar archives bypass node-tar path sanitization, enabling arbitrary file writes during npm package extraction.
node-tar Windows-Specific Path Traversal Bypass (CVE-2021...
CVE-2021-37712 let malicious tar archives bypass node-tar's symlink protections on Windows via junctions, enabling path traversal during npm installs. Here's what to patch.