Aveek Biswas

**Name of the Vulnerable Software and Affected Versions** node-tar versions prior to 3.3.2, 4.4.14, 5.0.6, and 6.1.1 **Description** The issue is related to the node-tar module for handling tar archives in Node.js, which has a problem with incorrect filtering of the '/' character sequence. This could allow a remote attacker to compromise data integrity and cause a denial of service. The npm package "tar" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. The `node-tar` aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. However, this logic was insufficient when file paths contained repeated path roots. **Recommendations** For versions prior to 3.3.2, 4.4.14, 5.0.6, and 6.1.1, update to the respective fixed versions (3.3.2, 4.4.14, 5.0.6, or 6.1.1) to resolve the issue. As a temporary workaround, consider creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths.

**Name of the Vulnerable Software and Affected Versions** ssri versions 5.2.2 through 8.0.0 **Description** The issue is related to the processing of SRIs using a regular expression, which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option. **Recommendations** For versions 5.2.2 through 8.0.0, update to version 8.0.1 to resolve the issue. As a temporary workaround, consider disabling the strict option until a patch is available. Restrict the use of SRIs to minimize the risk of exploitation.