-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScript| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tar-fs | npm | < 1.16.4 | 1.16.4 |
| tar-fs | npm | >= 2.0.0, < 2.1.2 | 2.1.2 |
| tar-fs | npm | >= 3.0.0, < 3.0.7 | 3.0.8 |
Miggo AIRoot Cause AnalysisThe vulnerability manifests in symlink/hardlink processing during extraction. The patch adds critical path validation in onsymlink (via inCwd check) and hardens path resolution in onlink. The vulnerable versions lacked these checks, allowing malicious tar entries to write outside cwd. exports.extract is the main entry point where cwd normalization was insufficient, and its inner functions onsymlink/onlink directly handled untrusted input without proper validation.
Ongoing coverage of React2Shell