The vulnerability identified as CVE-2026-31802 in the isaacs node-tar package is a path traversal flaw classified under CWE-22. Node-tar is a widely used Node.js library for handling tar archives. Prior to version 7.5.11, node-tar improperly limits pathnames during extraction, specifically when processing symbolic links with drive-relative targets on Windows platforms. An attacker can craft a tar archive containing a symlink with a target path like C:../../../target.txt, which escapes the intended extraction directory. When such an archive is extracted using the vulnerable tar.x() method, files outside the current working directory can be overwritten, leading to arbitrary file overwrite. This vulnerability does not require authentication or user interaction and can be exploited locally or remotely if untrusted tar files are processed. The CVSS 4.0 score of 8.2 reflects high severity, with low attack complexity and no privileges required, but limited to local attack vector (AV:L). The flaw impacts confidentiality and integrity by allowing unauthorized modification of files, potentially enabling privilege escalation or code execution if critical system or application files are overwritten. The vulnerability is fixed in node-tar version 7.5.11 by properly sanitizing and restricting symlink targets to prevent directory traversal outside the extraction root.

This vulnerability poses a significant risk to organizations using Node.js applications that rely on node-tar versions prior to 7.5.11, especially on Windows systems. Successful exploitation can lead to arbitrary file overwrites outside the extraction directory, compromising system integrity and potentially enabling further attacks such as privilege escalation, persistent malware installation, or disruption of application functionality. Confidential data could be overwritten or corrupted, and critical system files could be targeted, leading to denial of service or unauthorized control. Since node-tar is a common dependency in many Node.js projects, the attack surface is broad. Organizations that automatically extract tar archives from untrusted sources or user uploads are particularly at risk. Although no public exploits are currently known, the ease of exploitation and high impact make this a critical issue to address promptly to avoid potential widespread abuse.

To mitigate this vulnerability, organizations should immediately upgrade all instances of node-tar to version 7.5.11 or later, where the path traversal issue is fixed. Review and restrict the sources of tar archives to trusted origins to reduce exposure to malicious files. Implement validation and sanitization of archive contents before extraction, especially checking for symlinks and their targets. Consider running extraction processes with least privilege, using sandboxed or containerized environments to limit the impact of potential exploitation. Monitor file system changes during extraction for unexpected modifications outside intended directories. For Windows environments, pay special attention to drive-relative symlink handling. Additionally, incorporate security scanning tools in the CI/CD pipeline to detect vulnerable node-tar versions and prevent deployment of affected code. Educate developers and DevOps teams about the risks of processing untrusted archives and enforce secure coding practices around file extraction.