CVE-2026-24842

High CVSS: 8.2

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

Vendor

Isaacs

Product

Tar

CWE

CWE-22

Yayın Tarihi

2026-01-28 01:16:14

Güncelleme

2026-02-02 14:30:10

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-22 Tar HIGH Isaacs 2026

Referanslar

https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46 https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v

Benzer Kayıtlar

High

CVE-2026-31802

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink t…

High

CVE-2026-29786

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that p…

High

CVE-2026-26960

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-control…

High

CVE-2026-23950

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an…

High

CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library (

High

CVE-2025-64756

Glob matches files using patterns the shell uses. Starting in version 10.2.0 and prior to versions 10.5.0 and 11.1.0, th…