High severityOSV Advisory· Published Jan 28, 2026· Updated Jan 28, 2026
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
CVE-2026-24842
Description
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarnpm | < 7.5.7 | 7.5.7 |
Affected products
1Patches
1f4a7aa9bc3d7fix: properly sanitize hard links containing ..
2 files changed · +22 −1
src/unpack.ts+2 −1 modified@@ -271,6 +271,7 @@ export class Unpack extends Parser { field: 'path' | 'linkpath', ): boolean { const p = entry[field] + const { type } = entry if (!p || this.preservePaths) return true const parts = p.split('/') @@ -284,7 +285,7 @@ export class Unpack extends Parser { // just rejecting any path with '..' - relative symlinks like // '../sibling/file' are valid if they resolve within the cwd. // For paths, they just simply may not ever use .. at all. - if (field === 'path') { + if (field === 'path' || type === 'Link') { this.warn('TAR_ENTRY_ERROR', `${field} contains '..'`, { entry, [field]: p,
test/ghsa-8qq5-rm4j-mr97.ts+20 −0 modified@@ -23,6 +23,20 @@ const getExploitTar = () => { }).encode(hardHeader, 0) chunks.push(hardHeader) + const hardSubHeader = Buffer.alloc(1024) + new Header({ + path: 'sub/', + type: 'Directory', + size: 0, + }).encode(hardSubHeader, 0) + new Header({ + path: 'sub/exploit_sub', + type: 'Link', + size: 0, + linkpath: '../secret.txt', + }).encode(hardSubHeader, 512) + chunks.push(hardSubHeader) + const symHeader = Buffer.alloc(512) new Header({ path: 'exploit_sym', @@ -77,6 +91,12 @@ t.test('hardlink escape does not clobber target', async t => { readFileSync(resolve(dir, 'secret.txt'), 'utf8'), 'ORIGINAL DATA', ) + + writeFileSync(resolve(out, 'sub/exploit_sub'), 'OVERWRITTEN SUB') + t.equal( + readFileSync(resolve(dir, 'secret.txt'), 'utf8'), + 'ORIGINAL DATA', + ) }) t.test('symlink escapes are sanitized', async t => {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-34x7-hfp2-rc4vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24842ghsaADVISORY
- github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46ghsax_refsource_MISCWEB
- github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4vghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.