node-tar - Debian Package Tracker

general

source: node-tar (main)
version: 6.2.1+ds1+~cs6.1.13-10
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Jérémy Lal [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 6.0.5+ds1+~cs11.3.9-1+deb11u2
o-o-sec: 6.0.5+ds1+~cs11.3.9-1+deb11u2
oldstable: 6.1.13+~cs7.0.5-1
stable: 6.2.1+~cs7.0.8-1
stable-p-u: 6.2.1+~cs7.0.8-1+deb13u1
testing: 6.2.1+ds1+~cs6.1.13-10
unstable: 6.2.1+ds1+~cs6.1.13-10

versioned links

6.0.5+ds1+~cs11.3.9-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.1.13+~cs7.0.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.2.1+~cs7.0.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.2.1+~cs7.0.8-1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
6.2.1+ds1+~cs6.1.13-10: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-tar

action needed

A new upstream version is available: 7.5.13+~cs7.0.87 high

A new upstream version 7.5.13+~cs7.0.87 is available, you should consider packaging it.

Created: 2026-01-18 Last update: 2026-04-04 08:31

6 security issues in bullseye high

There are 6 open security issues in bullseye.

5 important issues:

CVE-2026-23745: node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
CVE-2026-24842: node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
CVE-2026-26960: node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
CVE-2026-29786: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
CVE-2026-31802: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

1 issue postponed or untriaged:

CVE-2024-28863: (needs triaging) node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Created: 2026-01-17 Last update: 2026-03-26 04:46

lintian reports 3 warnings normal

Lintian reports 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-03-25 Last update: 2026-03-25 03:30

4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

4 issues left for the package maintainer to handle:

CVE-2024-28863: (needs triaging) node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
CVE-2026-23745: (needs triaging) node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
CVE-2026-26960: (needs triaging) node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
CVE-2026-29786: (needs triaging) node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-03-22 Last update: 2026-03-26 04:46

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.3).

Created: 2026-03-31 Last update: 2026-03-31 15:01

news

[rss feed]

[2026-04-03] Accepted node-tar 6.2.1+~cs7.0.8-1+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2026-03-26] node-tar 6.2.1+ds1+~cs6.1.13-10 MIGRATED to testing (Debian testing watch)
[2026-03-24] Accepted node-tar 6.2.1+ds1+~cs6.1.13-10 (source) into unstable (Xavier Guimard)
[2026-03-23] Accepted node-tar 6.2.1+ds1+~cs6.1.13-9 (source) into unstable (Xavier Guimard)
[2026-03-11] node-tar 6.2.1+ds1+~cs6.1.13-8 MIGRATED to testing (Debian testing watch)
[2026-03-08] Accepted node-tar 6.2.1+ds1+~cs6.1.13-8 (source) into unstable (Xavier Guimard)
[2026-01-24] node-tar 6.2.1+ds1+~cs6.1.13-7 MIGRATED to testing (Debian testing watch)
[2026-01-22] Accepted node-tar 6.2.1+ds1+~cs6.1.13-7 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2026-01-21] node-tar 6.2.1+ds1+~cs6.1.13-6 MIGRATED to testing (Debian testing watch)
[2026-01-17] Accepted node-tar 6.2.1+ds1+~cs6.1.13-6 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2026-01-01] node-tar 6.2.1+ds1+~cs6.1.13-5 MIGRATED to testing (Debian testing watch)
[2025-12-28] Accepted node-tar 6.2.1+ds1+~cs6.1.13-5 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-28] node-tar 6.2.1+ds1+~cs6.1.13-4 MIGRATED to testing (Debian testing watch)
[2025-12-25] Accepted node-tar 6.2.1+ds1+~cs6.1.13-4 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-25] Accepted node-tar 6.2.1+ds1+~cs6.1.13-3 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-25] node-tar 6.2.1+ds1+~cs6.1.13-2 MIGRATED to testing (Debian testing watch)
[2025-12-22] Accepted node-tar 6.2.1+ds1+~cs6.1.13-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-03] node-tar 6.2.1+ds1+~cs6.1.13-1 MIGRATED to testing (Debian testing watch)
[2025-12-01] Accepted node-tar 6.2.1+ds1+~cs6.1.13-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-08-14] node-tar 6.2.1+~cs7.0.8-1 MIGRATED to testing (Debian testing watch)
[2024-08-12] Accepted node-tar 6.2.1+~cs7.0.8-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-08-09] Accepted node-tar 6.1.13+~cs7.0.5-4 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2024-04-05] node-tar 6.1.13+~cs7.0.5-3 MIGRATED to testing (Debian testing watch)
[2024-04-03] Accepted node-tar 6.1.13+~cs7.0.5-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-03-22] Accepted node-tar 6.1.13+~cs7.0.5-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-25] node-tar 6.1.13+~cs7.0.5-1 MIGRATED to testing (Debian testing watch)
[2022-12-17] Accepted node-tar 6.1.13+~cs7.0.5-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-12-12] Accepted node-tar 4.4.6+ds1-3+deb10u2 (source) into oldstable (Guilhem Moulin)
[2022-11-11] node-tar 6.1.12+~cs6.1.5-1 MIGRATED to testing (Debian testing watch)
[2022-11-04] Accepted node-tar 6.1.12+~cs6.1.5-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 3)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 6.2.1+ds1+~cs6.1.13-7