[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2018-20834":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T20:55:29.923Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":195,"aliases":205,"duplicate_of":9,"upstream":207,"downstream":208,"duplicates":213,"related":214,"reserved_at":9,"published_at":215,"modified_at":216,"state":217,"summary":218,"references_raw":226,"kevs":269,"epss":270,"epss_history":273,"metrics":536,"affected":548},"CVE-2018-20834","A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-59","Improper Link Resolution Before File Access ('Link Following')","The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.","weakness","Draft","Base","Medium",[20,101,162,191],{"id":21,"name":22,"techniques":23},"CAPEC-132","Symlink Attack",[24],{"id":25,"name":26,"tactics":27,"countermeasures":34},"T1547.009","Shortcut Modification",[28,31],{"id":29,"name":30},"TA0110","Persistence",{"id":32,"name":33},"TA0111","Privilege Escalation",[35,40,44,48,52,57,62,67,72,77,81,85,89,93,97],{"id":36,"name":37,"tactic":38},"D3-FA","File Analysis",{"name":39},"Detect",{"id":41,"name":42,"tactic":43},"D3-FIM","File Integrity Monitoring",{"name":39},{"id":45,"name":46,"tactic":47},"D3-DA","Dynamic Analysis",{"name":39},{"id":49,"name":50,"tactic":51},"D3-EFA","Emulated File Analysis",{"name":39},{"id":53,"name":54,"tactic":55},"D3-FEV","File Eviction",{"name":56},"Evict",{"id":58,"name":59,"tactic":60},"D3-DF","Decoy File",{"name":61},"Deceive",{"id":63,"name":64,"tactic":65},"D3-FE","File Encryption",{"name":66},"Harden",{"id":68,"name":69,"tactic":70},"D3-RF","Restore File",{"name":71},"Restore",{"id":73,"name":74,"tactic":75},"D3-CF","Content Filtering",{"name":76},"Isolate",{"id":78,"name":79,"tactic":80},"D3-LFP","Local File Permissions",{"name":76},{"id":82,"name":83,"tactic":84},"D3-RFAM","Remote File Access Mediation",{"name":76},{"id":86,"name":87,"tactic":88},"D3-CQ","Content Quarantine",{"name":76},{"id":90,"name":91,"tactic":92},"D3-CM","Content Modification",{"name":76},{"id":94,"name":95,"tactic":96},"D3-EAL","Executable Allowlisting",{"name":76},{"id":98,"name":99,"tactic":100},"D3-EDL","Executable Denylisting",{"name":76},{"id":102,"name":103,"techniques":104},"CAPEC-17","Using Malicious Files",[105,142],{"id":106,"name":107,"tactics":108,"countermeasures":120},"T1574.005","Executable Installer File Permissions Weakness",[109,110,111,114,117],{"id":29,"name":30},{"id":32,"name":33},{"id":112,"name":113},"TA0030","Defense Evasion",{"id":115,"name":116},"TA0005","Stealth",{"id":118,"name":119},"TA0104","Execution",[121,126,130,134,138],{"id":122,"name":123,"tactic":124},"D3-SWI","Software Inventory",{"name":125},"Model",{"id":127,"name":128,"tactic":129},"D3-AVE","Asset Vulnerability Enumeration",{"name":125},{"id":131,"name":132,"tactic":133},"D3-SBV","Service Binary Verification",{"name":39},{"id":135,"name":136,"tactic":137},"D3-SU","Software Update",{"name":66},{"id":139,"name":140,"tactic":141},"D3-RS","Restore Software",{"name":71},{"id":143,"name":144,"tactics":145,"countermeasures":151},"T1574.010","Services File Permissions Weakness",[146,147,148,149,150],{"id":29,"name":30},{"id":32,"name":33},{"id":112,"name":113},{"id":115,"name":116},{"id":118,"name":119},[152,154,156,158,160],{"id":122,"name":123,"tactic":153},{"name":125},{"id":127,"name":128,"tactic":155},{"name":125},{"id":131,"name":132,"tactic":157},{"name":39},{"id":135,"name":136,"tactic":159},{"name":66},{"id":139,"name":140,"tactic":161},{"name":71},{"id":163,"name":164,"techniques":165},"CAPEC-35","Leverage Executable Code in Non-Executable Files",[166,173,180],{"id":167,"name":168,"tactics":169,"countermeasures":172},"T1027.006","HTML Smuggling",[170,171],{"id":112,"name":113},{"id":115,"name":116},[],{"id":174,"name":175,"tactics":176,"countermeasures":179},"T1027.009","Embedded Payloads",[177,178],{"id":112,"name":113},{"id":115,"name":116},[],{"id":181,"name":182,"tactics":183,"countermeasures":186},"T1564.009","Resource Forking",[184,185],{"id":112,"name":113},{"id":115,"name":116},[187],{"id":188,"name":189,"tactic":190},"D3-FFV","File Format Verification",{"name":76},{"id":192,"name":193,"techniques":194},"CAPEC-76","Manipulating Web Input to File System Calls",[],[196],{"_key":197,"name":198,"source":199,"url":200,"maturity":201,"reliability_score":202,"verified":203,"type":9,"platforms":204,"requires_auth":9,"exploitdb":9,"metasploit":9},"REF_232EB766A3E300EB","Exploit Reference (hackerone.com)","reference","https://hackerone.com/reports/344595","unknown",0.2,false,[],[206],"GHSA-j44m-qm6p-hp7m",[],[209,211],{"_key":210},"RHSA-2019:1821",{"_key":212},"DEBIAN-CVE-2018-20834",[],[],"2019-04-30T18:01:58.000Z","2024-08-05T12:12:27.376Z","Modified",{"cisa_kev":203,"cisa_ransomware":203,"cisa_vendor":9,"epss_severity":219,"epss_score":220,"severity":221,"severity_score":222,"severity_version":223,"severity_source":224,"severity_vector":225,"severity_status":217},"low",0.00719,"high",7.5,"v3.0","nvd","CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",[227,236,241,245,251,256,260,264],{"url":200,"sources":228,"tags":231},[229,224,230],"cve.org","osv_npm",[232,233,234,235],"X Refsource MISC","Exploit","Third Party Advisory","WEB",{"url":237,"sources":238,"tags":239},"https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8",[229,224,230],[232,240,234,235],"Patch",{"url":242,"sources":243,"tags":244},"https://github.com/npm/node-tar/compare/58a8d43...a5f7779",[229,224,230],[232,240,234,235],{"url":246,"sources":247,"tags":248},"https://access.redhat.com/errata/RHSA-2019:1821",[229,224,230],[249,250,235],"Vendor Advisory","X Refsource REDHAT",{"url":252,"sources":253,"tags":254},"https://nvd.nist.gov/vuln/detail/CVE-2018-20834",[229,224,230],[232,255],"Advisory",{"url":257,"sources":258,"tags":259},"https://github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d",[229,224,230],[232,235],{"url":261,"sources":262,"tags":263},"https://github.com/npm/node-tar/commits/v2.2.2",[229,224,230],[232,235],{"url":265,"sources":266,"tags":267},"https://github.com/isaacs/node-tar",[230],[268],"PACKAGE",[],{"date":271,"score":220,"percentile":272},"2026-06-04",0.72828,[274,278,281,284,287,290,293,296,299,302,305,308,310,313,316,320,323,326,328,331,334,337,340,343,346,349,352,355,358,361,364,367,370,373,376,378,380,383,386,389,392,395,398,400,403,406,409,412,415,418,421,424,427,430,433,436,439,442,445,448,451,454,457,459,461,464,467,470,473,476,479,482,484,487,490,493,496,498,501,503,506,509,512,515,517,519,523,526,529,533],{"date":275,"score":276,"percentile":277},"2025-11-04",0.00417,0.61003,{"date":279,"score":276,"percentile":280},"2025-11-05",0.6099,{"date":282,"score":276,"percentile":283},"2025-11-06",0.60996,{"date":285,"score":276,"percentile":286},"2025-11-07",0.6101,{"date":288,"score":276,"percentile":289},"2025-11-08",0.61013,{"date":291,"score":276,"percentile":292},"2025-11-09",0.61009,{"date":294,"score":276,"percentile":295},"2025-11-10",0.60986,{"date":297,"score":276,"percentile":298},"2025-11-11",0.61,{"date":300,"score":276,"percentile":301},"2025-11-12",0.61026,{"date":303,"score":276,"percentile":304},"2025-11-13",0.61032,{"date":306,"score":276,"percentile":307},"2025-11-14",0.61041,{"date":309,"score":276,"percentile":304},"2025-11-15",{"date":311,"score":276,"percentile":312},"2025-11-16",0.61021,{"date":314,"score":276,"percentile":315},"2025-11-17",0.61022,{"date":317,"score":318,"percentile":319},"2025-11-18",0.00904,0.73729,{"date":321,"score":318,"percentile":322},"2025-11-19",0.73735,{"date":324,"score":318,"percentile":325},"2025-11-20",0.73744,{"date":327,"score":276,"percentile":304},"2025-11-21",{"date":329,"score":276,"percentile":330},"2025-11-22",0.61037,{"date":332,"score":276,"percentile":333},"2025-11-23",0.61023,{"date":335,"score":276,"percentile":336},"2025-11-24",0.6102,{"date":338,"score":276,"percentile":339},"2025-11-25",0.61027,{"date":341,"score":276,"percentile":342},"2025-11-26",0.61028,{"date":344,"score":276,"percentile":345},"2025-11-27",0.61036,{"date":347,"score":276,"percentile":348},"2025-11-28",0.61018,{"date":350,"score":276,"percentile":351},"2025-11-29",0.60992,{"date":353,"score":276,"percentile":354},"2025-11-30",0.60983,{"date":356,"score":276,"percentile":357},"2025-12-01",0.61132,{"date":359,"score":276,"percentile":360},"2025-12-02",0.61146,{"date":362,"score":276,"percentile":363},"2025-12-03",0.61149,{"date":365,"score":276,"percentile":366},"2025-12-04",0.60978,{"date":368,"score":276,"percentile":369},"2025-12-05",0.60989,{"date":371,"score":276,"percentile":372},"2025-12-06",0.60985,{"date":374,"score":276,"percentile":375},"2025-12-07",0.6098,{"date":377,"score":276,"percentile":372},"2025-12-08",{"date":379,"score":276,"percentile":333},"2025-12-09",{"date":381,"score":276,"percentile":382},"2025-12-10",0.6107,{"date":384,"score":276,"percentile":385},"2025-12-11",0.61091,{"date":387,"score":276,"percentile":388},"2025-12-12",0.61114,{"date":390,"score":276,"percentile":391},"2025-12-13",0.61118,{"date":393,"score":276,"percentile":394},"2025-12-14",0.61116,{"date":396,"score":276,"percentile":397},"2025-12-15",0.61096,{"date":399,"score":276,"percentile":394},"2025-12-16",{"date":401,"score":276,"percentile":402},"2025-12-17",0.61134,{"date":404,"score":276,"percentile":405},"2025-12-18",0.61173,{"date":407,"score":276,"percentile":408},"2025-12-19",0.61183,{"date":410,"score":276,"percentile":411},"2025-12-20",0.61185,{"date":413,"score":276,"percentile":414},"2025-12-21",0.61171,{"date":416,"score":276,"percentile":417},"2025-12-22",0.61162,{"date":419,"score":276,"percentile":420},"2025-12-23",0.61177,{"date":422,"score":276,"percentile":423},"2025-12-24",0.61187,{"date":425,"score":276,"percentile":426},"2025-12-25",0.61221,{"date":428,"score":276,"percentile":429},"2025-12-26",0.61217,{"date":431,"score":276,"percentile":432},"2025-12-27",0.61265,{"date":434,"score":276,"percentile":435},"2025-12-28",0.61193,{"date":437,"score":276,"percentile":438},"2025-12-29",0.61186,{"date":440,"score":276,"percentile":441},"2025-12-30",0.612,{"date":443,"score":276,"percentile":444},"2025-12-31",0.61222,{"date":446,"score":276,"percentile":447},"2026-01-01",0.61407,{"date":449,"score":276,"percentile":450},"2026-01-02",0.61395,{"date":452,"score":276,"percentile":453},"2026-01-03",0.61391,{"date":455,"score":276,"percentile":456},"2026-01-04",0.61196,{"date":458,"score":276,"percentile":411},"2026-01-05",{"date":460,"score":276,"percentile":456},"2026-01-06",{"date":462,"score":276,"percentile":463},"2026-01-07",0.61219,{"date":465,"score":276,"percentile":466},"2026-01-08",0.61245,{"date":468,"score":276,"percentile":469},"2026-01-09",0.61248,{"date":471,"score":276,"percentile":472},"2026-01-10",0.61241,{"date":474,"score":276,"percentile":475},"2026-01-11",0.61225,{"date":477,"score":276,"percentile":478},"2026-01-12",0.61201,{"date":480,"score":276,"percentile":481},"2026-01-13",0.61179,{"date":483,"score":276,"percentile":444},"2026-01-14",{"date":485,"score":276,"percentile":486},"2026-01-15",0.6122,{"date":488,"score":276,"percentile":489},"2026-01-16",0.61238,{"date":491,"score":276,"percentile":492},"2026-01-17",0.61232,{"date":494,"score":276,"percentile":495},"2026-01-18",0.61229,{"date":497,"score":276,"percentile":441},"2026-01-19",{"date":499,"score":276,"percentile":500},"2026-01-20",0.61214,{"date":502,"score":276,"percentile":426},"2026-01-21",{"date":504,"score":276,"percentile":505},"2026-01-22",0.61224,{"date":507,"score":276,"percentile":508},"2026-01-23",0.6126,{"date":510,"score":276,"percentile":511},"2026-01-24",0.61267,{"date":513,"score":276,"percentile":514},"2026-01-25",0.6123,{"date":516,"score":276,"percentile":486},"2026-01-26",{"date":518,"score":276,"percentile":475},"2026-01-27",{"date":520,"score":521,"percentile":522},"2026-01-28",0.00766,0.72986,{"date":524,"score":521,"percentile":525},"2026-01-29",0.72987,{"date":527,"score":521,"percentile":528},"2026-01-30",0.72994,{"date":530,"score":531,"percentile":532},"2026-01-31",0.00762,0.72892,{"date":534,"score":531,"percentile":535},"2026-02-01",0.73019,[537,546],{"source":224,"cvss_v2_0":538,"cvss_v3_0":543,"cvss_v3_1":9,"cvss_v4_0":9},{"baseScore":539,"baseSeverity":9,"vectorString":540,"impactScore":541,"exploitabilityScore":542},6.4,"AV:N/AC:L/Au:N/C:N/I:P/A:P",4.9,10,{"baseScore":222,"baseSeverity":544,"vectorString":225,"impactScore":545,"exploitabilityScore":542},"HIGH",6,{"source":230,"cvss_v2_0":9,"cvss_v3_0":547,"cvss_v3_1":9,"cvss_v4_0":9},{"baseScore":222,"baseSeverity":9,"vectorString":225,"impactScore":545,"exploitabilityScore":542},[549,565,571],{"ecosystem":9,"name":550,"vendor":551,"product":550,"cpe_part":552,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":553},"tar","isaacs","a",[554,560],{"version":555,"is_range":556,"range_type":557,"version_start":9,"version_start_type":9,"version_end":558,"version_end_type":559,"fixed_in":9},"lt2.2.2",true,"cpe","2.2.2","excluding",{"version":561,"is_range":556,"range_type":557,"version_start":562,"version_start_type":563,"version_end":564,"version_end_type":559,"fixed_in":9},"gte3.0.0_lt4.4.2","3.0.0","including","4.4.2",{"ecosystem":9,"name":566,"vendor":567,"product":566,"cpe_part":552,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":568},"node-tar","node-tar_project",[569,570],{"version":555,"is_range":556,"range_type":557,"version_start":9,"version_start_type":9,"version_end":558,"version_end_type":559,"fixed_in":9},{"version":561,"is_range":556,"range_type":557,"version_start":562,"version_start_type":563,"version_end":564,"version_end_type":559,"fixed_in":9},{"ecosystem":572,"name":550,"vendor":572,"product":550,"cpe_part":9,"purl_type":573,"purl_namespace":9,"purl_name":550,"source":9,"versions":574},"Npm","npm",[575,578],{"version":576,"is_range":556,"range_type":577,"version_start":562,"version_start_type":563,"version_end":564,"version_end_type":559,"fixed_in":9},"gte3_0_0_lt4_4_2","semver",{"version":579,"is_range":556,"range_type":577,"version_start":9,"version_start_type":9,"version_end":558,"version_end_type":559,"fixed_in":9},"lt2_2_2"]