Node.js tar Package Security Patch: CVE-2026-31802 Fixes Critical Path Traversal Vulnerability

A critical security vulnerability in the widely used Node.js `tar` package has been patched, addressing a flaw that could allow attackers to overwrite files anywhere on a Windows system. The vulnerability, tracked as CVE-2026-31802, stems from improper handling of drive-relative symlink targets during archive extraction. Specifically, the extraction logic in the `Unpack[STRIPABSOLUTEPATH]` function could be tricked into creating a symbolic link pointing outside the intended extraction directory by using a target like `C:../../../target.txt`. This bypasses the intended path validation, enabling arbitrary file writes outside the current working directory (`cwd`) during a normal `tar.x()` operation.

The patch, version 7.5.11, resolves this path traversal issue. The update is classified as a security patch, moving from version 7.5.10. The `tar` package is a fundamental dependency for countless Node.js applications, used for creating and extracting archive files, making this vulnerability a significant supply chain risk. The flaw specifically impacts Windows environments where drive letter paths are used.

This fix is critical for developers and organizations to implement immediately to prevent potential exploitation. The vulnerability highlights the persistent risks in software supply chains and the importance of timely dependency updates. While the patch is available, the widespread use of `tar` means many applications may remain vulnerable until their dependency graphs are updated, underscoring the need for automated security monitoring and patch management in development workflows.