nanotar is vulnerable to path traversal in parseTar() and parseTarGzip()

Severity:: Medium

Description

nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.

Recommendation

No fix is available yet. Followings are affected versions:

<= 0.2.0

References

GHSA-92fh-27vv-894w
www.npmjs.com
CVE-2025-69874
CWE-22
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

@google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script - CVE-2026-4092
React Router has Path Traversal in File Session Storage (GHSA-9583-h5hc-x8cw) - CVE-2025-61686
React Router has Path Traversal in File Session Storage - CVE-2025-61686
jsPDF has Local File Inclusion/Path Traversal vulnerability - CVE-2025-68428

Tags:: npm; nanotar

Anything's wrong? Let us know Last updated on February 11, 2026