CVE-2015-8860

HIGH

Nodejs Node.js < 1.8.4 - Symlink Following

Title source: rule

Description

The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.

References (2)

Scores

CVSS v3 7.5
EPSS 0.0037
EPSS Percentile 58.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE
CWE-59
Status draft

Affected Products (2)

nodejs/node.js < 1.8.4
npm/tar < 2.0.0npm

Timeline

Published Jan 23, 2017
Tracked Since Feb 18, 2026