CVE-2026-31802 Overview
CVE-2026-31802 is a path traversal vulnerability affecting node-tar, a full-featured Tar library for Node.js. Prior to version 7.5.11, the library can be exploited to create symlinks that point outside the intended extraction directory. This is achieved by crafting malicious tar archives containing drive-relative symlink targets such as C:../../../target.txt, which enables arbitrary file overwrite outside the current working directory during standard tar.x() extraction operations.
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as Path Traversal) and poses a significant risk to applications that process untrusted tar archives.
Critical Impact
Attackers can overwrite arbitrary files outside the extraction directory by exploiting improper symlink path validation, potentially leading to code execution, configuration tampering, or denial of service through file corruption.
Affected Products
- node-tar versions prior to 7.5.11
- npm packages depending on vulnerable node-tar versions
- Node.js applications using tar extraction functionality with untrusted archives
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-31802 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-31802
Vulnerability Analysis
The vulnerability exists in the symlink path validation logic within node-tar. When extracting tar archives, the library failed to properly sanitize drive-relative paths on Windows systems. The path format C:../../../target.txt represents a relative path from the current directory on the C: drive, rather than an absolute path starting from the drive root.
This subtle distinction bypasses the existing path traversal protections that check for traditional ../ sequences at the beginning of paths. The library's validation logic did not account for the Windows-specific drive-relative path notation, allowing symlinks to escape the intended extraction boundary.
When a malicious tar archive is processed using the standard tar.x() extraction method, the symlink is created pointing to a location outside the current working directory. Subsequent operations that follow this symlink can then read, write, or overwrite files in unintended locations on the filesystem.
Root Cause
The root cause is inadequate input validation of symlink targets within tar archives. Specifically, the path normalization routine failed to recognize Windows drive-relative path syntax as a potential path traversal vector. While absolute paths and Unix-style relative paths with leading ../ sequences were properly blocked, the C:../ pattern was not identified as malicious.
This is a classic example of insufficient platform-specific security handling, where security controls implemented for one operating system paradigm do not adequately address edge cases in another.
Attack Vector
The attack requires local access and involves the following exploitation scenario:
An attacker crafts a malicious tar archive containing a symlink entry with a carefully constructed drive-relative target path. When a vulnerable application extracts this archive using node-tar's tar.x() function, the symlink is created pointing outside the designated extraction directory. The attacker can then leverage this symlink to overwrite critical files, potentially achieving code execution if application configuration files, scripts, or binaries are targeted.
The attack is particularly dangerous in automated build pipelines, package managers, and any application that processes tar archives from untrusted sources without additional path validation.
Detection Methods for CVE-2026-31802
Indicators of Compromise
- Unexpected symlinks in extraction directories pointing to paths outside the intended scope
- File modifications in system directories or application configuration folders following tar extraction operations
- Audit logs showing file access patterns consistent with symlink-based path traversal
- Presence of symlinks containing drive-relative notation (e.g., C:../) in extracted content
Detection Strategies
- Implement file integrity monitoring on critical system and application files
- Monitor process activity for unexpected file operations following tar extraction events
- Audit npm dependency trees to identify node-tar versions prior to 7.5.11
- Deploy application-level logging to track tar extraction operations and resulting filesystem changes
Monitoring Recommendations
- Enable filesystem auditing for symlink creation events on sensitive directories
- Implement automated scanning of npm projects to detect vulnerable node-tar dependencies
- Configure SentinelOne endpoint protection to monitor for symlink-based escape attempts during archive extraction
- Establish baseline behavior for applications that perform tar extraction and alert on anomalies
How to Mitigate CVE-2026-31802
Immediate Actions Required
- Upgrade node-tar to version 7.5.11 or later immediately
- Audit all projects and containers for vulnerable node-tar versions using npm audit or equivalent tools
- Review and restrict permissions for applications that process untrusted tar archives
- Implement additional path validation before processing extracted symlinks
Patch Information
The vulnerability has been fixed in node-tar version 7.5.11. The fix addresses the improper validation of drive-relative symlink targets by enhancing the path sanitization logic to detect and block Windows-specific path traversal patterns.
For technical details on the patch, refer to the GitHub Commit Change and the GitHub Security Advisory GHSA-9ppj-qmqm-q256.
Workarounds
- Avoid extracting tar archives from untrusted sources until patching is complete
- Implement additional symlink validation in application code before following extracted symlinks
- Use containerization or sandboxing to isolate tar extraction operations from sensitive filesystem areas
- Configure file system permissions to prevent symlink creation in critical directories by extraction processes
# Update node-tar to patched version
npm update tar@7.5.11
# Audit project for vulnerable dependencies
npm audit
# Force update all tar dependencies in lock file
npm update tar --depth=9999
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
