π Security: Multiple High-Severity Vulnerabilities in Dependencies (6 CVEs)Β #2374
Description
Summary
The @contentstack/cli package version 1.56.0 has multiple transitive dependencies with 6 security vulnerabilities (5 high severity, 1 low severity) that need to be addressed.
Critical Vulnerabilities Overview
| CVE | Severity | Package | Versions Affected | Fixed In |
|---|---|---|---|---|
| CVE-2026-24842 | High | tar | β€7.5.6 | β₯7.5.7 |
| CVE-2026-23950 | High | tar | β€7.5.6 | β₯7.5.7 |
| CVE-2026-23745 | High | tar | β€7.5.6 | β₯7.5.7 |
| CVE-2025-64756 | High | glob | 10.2.0-10.4.5 | β₯10.4.6 |
| CVE-2026-24001 | Low | diff | 5.0.0-5.2.1 | β₯5.2.2 |
| CVE-2025-54798 | Low | tmp | β€0.2.3 | β₯0.2.4 |
1. node-tar Vulnerabilities (3 CVEs) - HIGH PRIORITY
Affected Locations
Multiple instances of vulnerable tar versions in the dependency tree:
tar@6.2.1via@oclif/plugin-plugins β npm β pacotetar@7.4.3via@oclif/plugin-plugins β npm β cacachetar@7.4.3via@oclif/plugin-plugins β npm β node-gyp
CVE-2026-24842: Hardlink Path Traversal
Severity: High | Reported: Feb 2026
The security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This allows attackers to craft malicious TAR archives that bypass path traversal protections and create hardlinks to arbitrary files outside the extraction directory.
Advisory: GHSA-34x7-hfp2-rc4v
CVE-2026-23950: Race Condition via Unicode Ligature Collisions
Severity: High | Reported: Jan 22, 2026
Race condition in path reservations via Unicode ligature collisions on macOS APFS filesystem, allowing path traversal attacks.
Advisory: GHSA-r6q2-hw4h-h46w
CVE-2026-23745: Symlink Poisoning via Insufficient Path Sanitization
Severity: High | Reported: Jan 19, 2026
Insufficient path sanitization allows arbitrary file overwrite and symlink poisoning attacks when extracting malicious TAR archives.
Advisory: GHSA-8qq5-rm4j-mr97
2. glob: Command Injection (CVE-2025-64756)
Affected Location
glob@10.4.5via@oclif/plugin-plugins β npm
Severity: High | Reported: Dec 11, 2025
The glob CLI allows command injection via -c/--cmd flag, executing matches with shell:true, enabling arbitrary command execution.
Advisory: GHSA-5j98-mcp5-4vw2
3. jsdiff: Denial of Service (CVE-2026-24001)
Affected Location
diff@5.2.0via@oclif/plugin-plugins β npm β libnpmdiff
Severity: Low | Reported: Jan 16, 2026
DoS vulnerability in parsePatch and applyPatch functions that can cause excessive resource consumption.
Advisory: GHSA-73rr-hh4g-fpgx
4. tmp: Symbolic Link Attack (CVE-2025-54798)
Affected Location
tmp@0.0.33via@contentstack/cli-utilities β inquirer-search-checkbox β inquirer β external-editor
Severity: Low | Reported: Dec 11, 2025
Allows arbitrary temporary file/directory write via symbolic link dir parameter.
Advisory: GHSA-52f5-9888-hmc6