High severityOSV Advisory· Published Jan 28, 2026· Updated Jan 28, 2026
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
CVE-2026-24842
Description
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarnpm | < 7.5.7 | 7.5.7 |
Affected products
63- osv-coords62 versionspkg:apk/chainguard/actions-runnerpkg:apk/chainguard/code-serverpkg:apk/chainguard/graalvm-25-ce-nodejspkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/lernapkg:apk/chainguard/node-gyppkg:apk/chainguard/npmpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/prismpkg:apk/chainguard/pulumi-language-nodejspkg:apk/chainguard/redisinsightpkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/sqlpadpkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/vitess-22pkg:apk/chainguard/vitess-23pkg:apk/chainguard/wazuh-dashboardpkg:apk/chainguard/wazuh-dashboard-fipspkg:apk/wolfi/code-serverpkg:apk/wolfi/kubeflow-centraldashboardpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/lernapkg:apk/wolfi/node-gyppkg:apk/wolfi/npmpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/prismpkg:apk/wolfi/pulumi-language-nodejspkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/sqlpadpkg:apk/wolfi/tileserver-glpkg:apk/wolfi/vitess-22pkg:apk/wolfi/vitess-23pkg:npm/tarpkg:rpm/almalinux/sgx-commonpkg:rpm/almalinux/sgx-libspkg:rpm/almalinux/sgx-mpapkg:rpm/almalinux/sgx-pccspkg:rpm/almalinux/sgx-pccs-adminpkg:rpm/almalinux/sgx-pckid-toolpkg:rpm/almalinux/tdx-qgspkg:rpm/opensuse/pnpm&distro=openSUSE%20Tumbleweed
< 2.331.0-r1+ 61 more
- (no CPE)range: < 2.331.0-r1
- (no CPE)range: < 4.106.3-r4
- (no CPE)range: < 25.0.2-r1
- (no CPE)range: < 8.17.10-r9
- (no CPE)range: < 8.17.10-r9
- (no CPE)range: < 8.18.8-r9
- (no CPE)range: < 8.18.8-r9
- (no CPE)range: < 8.19.11-r0
- (no CPE)range: < 8.19.11-r0
- (no CPE)range: < 9.0.8-r9
- (no CPE)range: < 9.0.8-r9
- (no CPE)range: < 9.0.8-r9
- (no CPE)range: < 9.1.10-r4
- (no CPE)range: < 9.1.10-r4
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 9.2.5-r0
- (no CPE)range: < 1.10.0-r10
- (no CPE)range: < 2.15.0-r12
- (no CPE)range: < 9.0.4-r1
- (no CPE)range: < 12.2.0-r1
- (no CPE)range: < 11.9.0-r0
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 3.5.0-r0
- (no CPE)range: < 3.5.0-r0
- (no CPE)range: < 5.14.3-r5
- (no CPE)range: < 3.217.1-r2
- (no CPE)range: < 3.0.2-r2
- (no CPE)range: < 43.3.1-r0
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r9
- (no CPE)range: < 5.5.0-r2
- (no CPE)range: < 5.5.0-r3
- (no CPE)range: < 22.0.3-r0
- (no CPE)range: < 23.0.1-r0
- (no CPE)range: < 4.14.5-r0
- (no CPE)range: < 4.14.5-r0
- (no CPE)range: < 4.106.3-r4
- (no CPE)range: < 1.10.0-r10
- (no CPE)range: < 2.15.0-r12
- (no CPE)range: < 9.0.4-r1
- (no CPE)range: < 12.2.0-r1
- (no CPE)range: < 11.9.0-r0
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 3.5.0-r0
- (no CPE)range: < 5.14.3-r5
- (no CPE)range: < 3.217.1-r2
- (no CPE)range: < 43.3.1-r0
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r9
- (no CPE)range: < 5.5.0-r2
- (no CPE)range: < 22.0.3-r0
- (no CPE)range: < 23.0.1-r0
- (no CPE)range: < 7.5.7
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 10.32.1-1.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-34x7-hfp2-rc4vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-24842ghsaADVISORY
- github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46ghsax_refsource_MISCWEB
- github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4vghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.