Description
nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.
References (3)
Core 3
Core References
Various Sources
https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69874-nanotar-Path-Traversal.md
Various Sources
https://www.npmjs.com/package/nanotar
Scores
CVSS v3
9.8
EPSS
0.0012
EPSS Percentile
30.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
npm/nanotar
0npm
unjs/nanotar
< 0.2.0
Published
Feb 11, 2026
Tracked Since
Feb 18, 2026