node-tar (the npm package tar) is the JavaScript implementation of the tar archive format, and it is about as foundational as a library gets: npm uses it to unpack every package you install, and it sits under countless build tools, deployment scripts, and any Node.js code that reads or writes .tar / .tar.gz archives. On npm it sees enormous weekly download volume, almost entirely transitive. Extraction is inherently dangerous — a tar archive is a list of file paths plus contents, and a malicious archive can try to write outside the directory you extracted into, or plant a symlink and then write through it. node-tar's security history is exactly this story: a cluster of 2021 CVEs where crafted archives achieved arbitrary file creation and overwrite, which on the wrong file means code execution.
The notable historical CVEs
node-tar's headline advisories are about breaking out of the extraction directory, through either path manipulation or symlinks. These are all real, published advisories:
- CVE-2021-32803 — insufficient symlink protection allowed a crafted archive to extract a symlink into a directory and then write a file through it, landing content outside the target. Fixed in
6.1.2,5.0.7,4.4.15, and3.2.3. - CVE-2021-32804 — insufficient absolute-path sanitization: paths with repeated roots such as
////home/user/.bashrcstill resolved to an absolute location, allowing arbitrary file creation and overwrite. Fixed in6.1.1,5.0.6,4.4.14, and3.3.2. - CVE-2021-37713 — on Windows, a path that specified a drive letter different from the extraction target escaped the intended directory, again enabling arbitrary file write and code execution. Fixed in
6.1.9,5.0.10, and4.4.18, with the follow-up hardening for it and the related CVE-2021-37712 landing in6.1.10,5.0.11, and4.4.19.
An earlier advisory, CVE-2018-20834, covered an arbitrary file overwrite via symlink in node-tar before 4.4.2 — the same class of bug that the 2021 cluster revisited more thoroughly. The recurring theme is that safe extraction requires defending several distinct escape techniques at once, which is why the fixes came in waves.
Common misuse and risks
- Extracting untrusted archives to a sensitive location. The core risk is unpacking an archive whose contents an attacker controls — a user upload, a downloaded artifact, a plugin bundle — into a directory where an escaped write could clobber a startup script, an SSH key, or a config file. That is how arbitrary file write becomes code execution.
- Trusting symlinks inside archives. A malicious archive can plant a symlink entry pointing at a parent directory or absolute path, then write through it. Without the fixes, node-tar followed it.
- Cross-platform assumptions. The Windows drive-letter escape (CVE-2021-37713) shows that path sanitization safe on Linux can still be bypassed on Windows.
- Deeply transitive, stale copies. Because npm itself depends on
tar, a vulnerable version can linger in a tree behind an intermediate package's loose range.
How to use tar (node-tar) safely
Set the version floor: run a current tar release (the 7.x line in 2026) and never operate below 6.1.11 on the 6.x line, which sits above the entire 2021 path-traversal and symlink cluster. If you are pinned to an older major, use 5.0.11 or 4.4.19 at minimum — the releases that include the follow-up fixes, not just the first patch.
Then treat extraction as an untrusted-input operation:
- Extract untrusted archives into a throwaway, sandboxed directory. Never unpack attacker-controlled content directly into a working tree, home directory, or anywhere with sensitive files.
- Use the built-in guards. node-tar exposes options to reject entries that escape the target and to refuse absolute paths and unsafe links; the
filteroption lets you inspect and drop suspicious entries before they are written. Keep these protections on rather than disabling them for convenience. - Validate entry paths yourself for high-risk intake. Reject any entry whose resolved path falls outside the extraction root, and be explicit about how you handle symlinks and hard links.
- Cap sizes. Enforce limits on entry count and uncompressed size to blunt archive-bomb denial of service.
- Pin and monitor. Commit a lockfile and confirm every resolved
tarcopy is patched.
How to monitor tar (node-tar) with SCA and reachability
Because npm depends on tar, a scanner flags it in essentially every Node.js project, usually transitively and sometimes in more than one version. The bare presence tells you little; what matters is whether your code actually extracts untrusted archives, and whether the resolved copy is on a release that includes the complete 2021 fixes rather than only the first patch.
Safeguard's software composition analysis resolves your full npm dependency graph, surfaces every tar version in the tree, and adds call-path reachability so a path-traversal advisory on an extraction path your code actually reaches is separated from a copy buried in a build tool that only ever unpacks trusted packages. When a bump is warranted, autonomous auto-fix opens a tested pull request, and Griffin AI explains whether a given copy is exploitable in your usage. Developers run the same analysis locally and in CI with the Safeguard CLI, and teams evaluating alternatives can review the Snyk comparison.
Bring continuous, prioritized dependency analysis to your Node.js services — get started free or read the documentation.
Frequently Asked Questions
Which tar (node-tar) version is safe in 2026?
Run a current release on the 7.x line, and never operate below 6.1.11 on the 6.x line. That covers the full 2021 cluster — the symlink write (CVE-2021-32803), the absolute-path escape (CVE-2021-32804), and the Windows drive-letter escape (CVE-2021-37713) plus its follow-up. If you are stuck on an older major, use at least 5.0.11 or 4.4.19, the releases with the complete fixes.
Why is extracting a tar archive dangerous?
A tar archive is a list of file paths and contents, so a malicious archive can try to write outside the directory you extract into — via ../ traversal, absolute paths, a Windows drive letter, or a planted symlink it then writes through. If an escaped write lands on a startup script, key, or config file, arbitrary file write becomes code execution.
How should I safely extract an untrusted archive?
Extract into a disposable, sandboxed directory that contains no sensitive files, keep node-tar's built-in protections against directory escape and unsafe links enabled, and use the filter option to drop suspicious entries before they are written. Reject any entry whose resolved path falls outside the extraction root, and cap entry count and size to prevent archive bombs.
How do I know if a tar CVE actually affects my app?
Use reachability-aware SCA. It enumerates every tar copy in your dependency tree and traces whether your code reaches an extraction path that handles untrusted archives — so you can prioritize a genuinely reachable, unpatched copy over one that only unpacks trusted packages inside a build tool.