tar 7.4.3 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the tar package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Symlink Attack tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Symlink Attack via `tar.x()` extraction, which allows an attacker to overwrite arbitrary files outside the intended extraction directory with a drive-relative symlink target - like `C:../../../target.txt`. How to fix Symlink Attack? Upgrade `tar` to version 7.5.11 or higher.	<7.5.11
H Symlink Attack tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Symlink Attack exploitable via `stripAbsolutePath()`, used by the `Unpack` class. An attacker can overwrite arbitrary files outside the intended extraction directory by including a hardlink whose `linkpath` uses a drive-relative path such as `C:../target.txt` in a malicious tar. How to fix Symlink Attack? Upgrade `tar` to version 7.5.10 or higher.	<7.5.10
H Directory Traversal tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Directory Traversal via the `extract()` function. An attacker can read or write files outside the intended extraction directory by causing the application to extract a malicious archive containing a chain of symlinks leading to a hardlink, which bypasses path validation checks. How to fix Directory Traversal? Upgrade `tar` to version 7.5.8 or higher.	<7.5.8
M Directory Traversal tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Directory Traversal via processing of hardlinks. An attacker can read or overwrite arbitrary files on the file system by crafting a malicious TAR archive that bypasses path traversal protections during extraction. How to fix Directory Traversal? Upgrade `tar` to version 7.5.7 or higher.	<7.5.7
M Directory Traversal tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Directory Traversal via insufficient sanitization of the `linkpath` parameter during archive extraction. An attacker can overwrite arbitrary files or create malicious symbolic links by crafting a tar archive with hardlink or symlink entries that resolve outside the intended extraction directory. How to fix Directory Traversal? Upgrade `tar` to version 7.5.3 or higher.	<7.5.3
M Improper Handling of Unicode Encoding tar is a full-featured Tar for Node.js. Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in Path Reservations via Unicode Sharp-S (`ß`) Collisions on macOS APFS. An attacker can overwrite arbitrary files by exploiting Unicode normalization collisions in filenames within a malicious tar archive on case-insensitive or normalization-insensitive filesystems. Note: This is only exploitable if the system is running on a filesystem such as macOS APFS or HFS+ that ignores Unicode normalization. How to fix Improper Handling of Unicode Encoding? Upgrade `tar` to version 7.5.4 or higher.	<7.5.4

Vulnerability

Vulnerable Version

Symlink Attack