CVE-2015-8860

Name: CVE-2015-8860
Creator: NVD / NIST
Published: 2017-01-23T21:59:00.69+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 4.91%

Last modified Jun 17, 2026

CVE-2015-8860 is a vulnerability of currently unknown severity. The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.. EPSS estimates a 4.91% chance of exploitation in the next 30 days.

Description

The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.

Metrics

EPSS Probability

4.91%

91.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-59

Affected Software

Vendor	Product	Versions
Nodejs	Node.Js	<= 1.8.4

References

http://www.openwall.com/lists/oss-security/2016/04/20/11Mailing List, Third Party Advisory
https://nodesecurity.io/advisories/57Mitigation, Vendor Advisory
http://www.openwall.com/lists/oss-security/2016/04/20/11Mailing List, Third Party Advisory
https://nodesecurity.io/advisories/57Mitigation, Vendor Advisory

Timeline

Published: Jan 23, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2015-8860?

The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive.

How severe is CVE-2015-8860?

Severity scoring for CVE-2015-8860 is pending analysis. The EPSS model estimates a 4.91% probability of exploitation in the next 30 days.

How do I fix CVE-2015-8860?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2015-8860?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST