PatchSiren cyber security CVE debrief

CVE-2015-8860 Nodejs CVE debrief

CVE-2015-8860 describes a tar-package vulnerability in the Node.js ecosystem where a crafted archive can use symlinks to cause arbitrary file writes. NVD rates it CVSS 7.5 High and maps it to CWE-59 (improper link resolution before file access), with no privileges or user interaction required. The issue is most relevant anywhere untrusted tar archives are extracted.

Vendor: Nodejs
Product: CVE-2015-8860
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-23
Original CVE updated: 2026-05-13
Advisory published: 2017-01-23
Advisory updated: 2026-05-13

Who should care

Teams running Node.js applications, build pipelines, or services that unpack tar archives from untrusted or semi-trusted sources; maintainers of older tar-package dependencies; and security teams responsible for dependency governance and archive-handling controls.

Technical summary

The CVE text says the tar package before 2.0.0 for Node.js allows remote attackers to write arbitrary files via a symlink attack in an archive. NVD’s vulnerability data classifies the weakness as CWE-59 and assigns CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating a network-reachable issue with high integrity impact. NVD’s affected CPE entry lists node.js versions through 1.8.4, which should be checked against local dependency data and the vendor advisory context.

Defensive priority

High. The vulnerability is remotely reachable, requires no privileges or user interaction, and can affect file integrity through archive extraction. Prioritize remediation anywhere tar archives are processed automatically or from external inputs.

Recommended defensive actions

Upgrade the affected tar package to a fixed release and verify the resolved version in lockfiles and deployed artifacts.
Inventory applications, CI jobs, deployment tooling, and package managers that extract tar archives from untrusted sources.
Add or review archive-extraction safeguards that reject or safely handle symlinks and other path-redirecting entries.
Scan for vulnerable dependency trees and replace vendored or pinned copies that still resolve to affected versions.
Use the linked vendor and NVD advisories to confirm the affected version range in your environment.

Evidence notes

Source evidence includes the CVE description supplied here, which identifies the tar package before 2.0.0 for Node.js and a symlink-based arbitrary-file-write issue. NVD records the weakness as CWE-59 and publishes CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, supporting the high-severity integrity-focused assessment. The CVE was published on 2017-01-23; the NVD record was modified later on 2026-05-13, which should not be treated as the issue date.

Official resources

CVE-2015-8860 CVE record
CVE.org
CVE-2015-8860 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory

Publicly disclosed in the CVE record on 2017-01-23. The NVD entry was modified on 2026-05-13. No KEV entry is supplied for this CVE in the provided data.