Описание
vlt Mishandles Path Sanitization for tar
vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2026-24909
- https://github.com/vltpkg/vltpkg/pull/1334
- https://github.com/vltpkg/vltpkg/commit/ff8d4099a1929772cea2adf131285e90ede6b0dd
- https://github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10
- https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act
- https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack
Пакеты
Наименование
@vltpkg/tar
npm
Затронутые версииВерсия исправления
< 1.0.0-rc.10
1.0.0-rc.10
Связанные уязвимости
CVSS3: 5.9
nvd
10 дней назад
vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.