nanotar is vulnerable to path traversal in parseTar() and parseTarGzip()

Severity:: Medium

Description

nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.2.0

References

GHSA-92fh-27vv-894w
www.npmjs.com
CVE-2025-69874
CWE-22
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

jsPDF has Local File Inclusion/Path Traversal vulnerability - CVE-2025-68428
Mammoth is vulnerable to Directory Traversal - CVE-2025-11849
React Router has Path Traversal in File Session Storage - @remix-run/node - CVE-2025-61686
Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling - CVE-2026-39365

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; nanotar

Anything's wrong? Let us know Last updated on February 11, 2026