GHSA-gf2c-jwcj-x929
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gf2c-jwcj-x929
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-gf2c-jwcj-x929/GHSA-gf2c-jwcj-x929.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gf2c-jwcj-x929
- Aliases
- Published
- 2026-01-28T00:31:42Z
- Modified
- 2026-02-03T03:06:30.744805Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N CVSS Calculator
- Summary
- vlt Mishandles Path Sanitization for tar
- Details
-
vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.
- Database specific
{ "nvd_published_at": "2026-01-27T23:15:50Z", "cwe_ids": [ "CWE-23" ], "github_reviewed_at": "2026-01-28T16:48:36Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2026-24909
- https://github.com/vltpkg/vltpkg/pull/1334
- https://github.com/vltpkg/vltpkg/commit/ff8d4099a1929772cea2adf131285e90ede6b0dd
- https://github.com/vltpkg/vltpkg
- https://github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10
- https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act
- https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack
Affected packages
npm / @vltpkg/tar
Package
- Name
- @vltpkg/tar
- View open source insights on deps.dev
- Purl
- pkg:npm/%40vltpkg/tar