CVE-2026-31802

MEDIUM

tar < 7.5.11 - Path Traversal via Drive-Relative Symlink Target

Title source: llm

Exploitation Summary

EIP tracks 6 public exploits for CVE-2026-31802. PoCs published by XiaomingX, Jvr2022, ridhinva.

AI-analyzed exploit summary The repository contains a functional proof-of-concept exploit for CVE-2026-31802, demonstrating a symlink path traversal vulnerability in the npm `tar` package. The exploit leverages a drive-relative symlink target to bypass validation and achieve arbitrary file overwrite outside the extraction directory.

Description

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.

Exploits (6)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-31802

View Code ZIP pw:eip

The repository contains a functional proof-of-concept exploit for CVE-2026-31802, demonstrating a symlink path traversal vulnerability in the npm `tar` package. The exploit leverages a drive-relative symlink target to bypass validation and achieve arbitrary file overwrite outside the extraction directory.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: npm tar package <= 7.5.10

No auth needed

Prerequisites: vulnerable version of npm tar package · ability to provide a malicious tar archive

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 15, 2026 Full analysis →

nomisec WORKING POC 1 stars

by Jvr2022 · poc

https://github.com/Jvr2022/CVE-2026-31802

View Code ZIP pw:eip

The repository contains a functional proof-of-concept exploit for CVE-2026-31802, demonstrating a symlink path traversal vulnerability in the npm `tar` package. The exploit leverages inconsistent path sanitization to create a symlink outside the intended extraction directory, enabling arbitrary file overwrite.

Classification

Working Poc 100%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: npm tar package <= 7.5.10

No auth needed

Prerequisites: vulnerable version of npm tar package (<= 7.5.10) · ability to provide a malicious tar archive

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Mar 15, 2026 Full analysis →

nomisec SCANNER

by ridhinva · poc

https://github.com/ridhinva/npm-tar-path-traversal-scanner

View Code ZIP pw:eip

This repository contains a scanner for detecting npm packages vulnerable to CVE-2026-31802, a path traversal vulnerability in the 'tar' npm package. It scans package-lock.json and node_modules for vulnerable versions and can test extraction behavior with crafted tar archives.

Classification

Scanner 100%

Attack Type

Other

Complexity

Moderate

Reliability

Reliable

Target: npm tar package

No auth needed

Prerequisites: Access to the target project directory or package-lock.json file

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Jun 04, 2026 Full analysis →

nomisec SCANNER

by ridhinva · poc

https://github.com/ridhinva/npm-tar-traversal-scanner

View Code ZIP pw:eip

This script scans npm packages or tar/tgz files for path traversal vulnerabilities by checking for suspicious symlinks or path patterns. It does not exploit the vulnerability but detects potential indicators of CVE-2026-31802.

Classification

Scanner 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: npm packages using tar

No auth needed

Prerequisites: npm package.json file or tar/tgz file

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 23, 2026 Full analysis →

github WORKING POC

by XZ1r0 · pythonpoc

https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/CVE-2026-31802

View Code ZIP pw:eip

The repository contains a functional proof-of-concept exploit for CVE-2026-31802, demonstrating a path traversal vulnerability in the npm tar package via symbolic link manipulation. The PoC creates a malicious tar archive that overwrites files outside the intended extraction directory.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: npm tar package

No auth needed

Prerequisites: Node.js environment · npm tar package installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 21, 2026 Full analysis →

nomisec SUSPICIOUS

by Recorded-texteditor120 · poc

https://github.com/Recorded-texteditor120/CVE-2026-31802

View Code ZIP pw:eip

The repository claims to provide a PoC for CVE-2026-31802 (npm tar path traversal via symlinks) but contains no actual exploit code. Instead, it directs users to download an external `.exe` or `.zip` file from GitHub releases, which is a common tactic for distributing malware or fake exploits.

Classification

Suspicious 95%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: npm tar package

No auth needed

Prerequisites: none provided

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/isaacs/node-tar/security/advisories/GHSA-9ppj-qmqm-q256

Patch x_refsource_misc

https://github.com/isaacs/node-tar/commit/f48b5fa3b7985ddab96dc0f2125a4ffc9911b6ad

View Patch ZIP pw:eip

Scores

CVSS v3 5.5

EPSS 0.0001

EPSS Percentile 1.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

isaacs/tar < 7.5.11

npm/tar 0 - 7.5.11npm

Published Mar 10, 2026

Tracked Since Mar 10, 2026