node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal

8.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Description

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

Basic Information

ID CVE-2026-24842

Source GitHub_M

Published Jan 28, 2026 at 00:20

Affected Product

Vendor isaacs

Product node-tar

Version < 7.5.7

Affected Versions isaacs node-tar < 7.5.7

CWE Classification

CWE-22 CWE-59

References

{
    "lastseen": "",
    "description": "node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.",
    "published": "2026-01-28T00:20:13.261Z",
    "modified": "2026-01-28T00:20:13.261Z",
    "type": "cve",
    "title": "node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
    "source": "GitHub_M",
    "references": "https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v\nhttps://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46",
    "id": "CVE-2026-24842",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-59"
    ],
    "cvelist": null,
    "sourceData": "isaacs node-tar < 7.5.7",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "node-tar",
    "version": "< 7.5.7",
    "vendor": "isaacs",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal_CVE-2026-24842