It was discovered that the symlink extraction protections in node-tar, a Tar archives module for Node.js could by bypassed; allowing a malicious Tar archive to symlink into an arbitrary location.