[BUG] Vulnerability CVE-2026-23745 in "node-tar" 7.5.2 dependency in npm

[darrentma]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Running security scan or npm audit finds a high severity CVE in the node-tar (tar v7.5.2). The issue is: CVE-2026-23745 see also: https://nvd.nist.gov/vuln/detail/CVE-2026-23745 )

The vulnerability is fixed in tar v7.5.3

Expected Behavior

"tar" dependency in npm should be updated to "7.5.3" to address CVE-2026-23745 (https://nvd.nist.gov/vuln/detail/CVE-2026-23745 )

Steps To Reproduce

1. In this environment: nodejs 20.19.5 or higher and npm 11.7.0
2. Run 'npm audit'
3. See error...

tar  <=7.5.2
Severity: high
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
No fix available

Fix is available in tar 7.5.3

Environment

• npm: 11.7.0
• Node.js: 20.19.5
• OS Name: RHEL 9.7
• System Model Name:
• npm config:

; copy and paste output from `npm config ls` here

[nicolasderouet]

Duplicate #8917

New CVE in node-tar (CVE-2026-23950) GHSA-r6q2-hw4h-h46w
"tar" dependency in npm should be updated to ">=7.5.4"

[wraithgar]

As stated in #8917, npm is not vulnerable here, and updating tar is part of our normal release process. tar will be updated in the next npm cli release.

[theNailz]

This tar vulnerability (CVE score 8.2) has been blocking CI/CD pipelines globally for two weeks now, with no viable workaround available to users:

• No newer npm release to upgrade to
• Cannot remove the dependency without breaking npm
• Cannot patch package.json inside the npm package

I understand the position that "npm itself is not vulnerable," but this framing misses the point: npm is the distribution channel for a high-severity vulnerability, and users have no path to remediation.

Closing issues and PRs with "we'll fix it in the next release" doesn't address the timeline question that's critical for security planning. Organizations are being forced to either accept audit failures, implement fragile workarounds, or block deployments entirely.

@wraithgar Could you provide:

1. An expected release date for the tar dependency bump?
2. Clarification on why this isn't being treated as a priority given the severity score and lack of user-side workarounds?

A simple version bump would unblock thousands of pipelines. The fix is straightforward; the impact of inaction is not.

[ghiscoding]

@theNailz I think it is fixed by PR #8951 and I though it would be included in #8950 for v11.9.0, but I can't find the "tar" update in it (maybe because it was created before #8951, hopefully they will update it), so I'm not sure when that will ship

[wraithgar]

Yes #8951 updates tar for npm. The reason it isn't in the release PR is because of degraded services yesterday with github actions. Expected release is tomorrow.