High severityNVD Advisory· Published Feb 20, 2026· Updated Feb 20, 2026
node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction
CVE-2026-26960
Description
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarnpm | < 7.5.8 | 7.5.8 |
Affected products
49- osv-coords48 versionspkg:apk/chainguard/actions-runnerpkg:apk/chainguard/code-serverpkg:apk/chainguard/graalvm-25-ce-nodejspkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-bitnamipkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/lernapkg:apk/chainguard/node-gyppkg:apk/chainguard/npmpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/prismpkg:apk/chainguard/pulumi-language-nodejspkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/sqlpadpkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/vitess-22pkg:apk/chainguard/vitess-23pkg:apk/chainguard/wazuh-dashboardpkg:apk/chainguard/wazuh-dashboard-fipspkg:apk/wolfi/code-serverpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/lernapkg:apk/wolfi/node-gyppkg:apk/wolfi/npmpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/prismpkg:apk/wolfi/pulumi-language-nodejspkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/sqlpadpkg:apk/wolfi/tileserver-glpkg:apk/wolfi/vitess-22pkg:apk/wolfi/vitess-23pkg:npm/tar
< 2.332.0-r0+ 47 more
- (no CPE)range: < 2.332.0-r0
- (no CPE)range: < 4.106.3-r5
- (no CPE)range: < 25.0.2-r2
- (no CPE)range: < 8.17.10-r10
- (no CPE)range: < 8.17.10-r10
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 8.19.11-r1
- (no CPE)range: < 9.0.8-r10
- (no CPE)range: < 9.0.8-r10
- (no CPE)range: < 9.0.8-r10
- (no CPE)range: < 9.1.10-r5
- (no CPE)range: < 9.1.10-r5
- (no CPE)range: < 2.15.0-r12
- (no CPE)range: < 9.0.4-r3
- (no CPE)range: < 12.2.0-r2
- (no CPE)range: < 11.10.1-r0
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 3.5.0-r5
- (no CPE)range: < 3.5.0-r3
- (no CPE)range: < 5.14.3-r7
- (no CPE)range: < 3.223.0-r1
- (no CPE)range: < 43.38.0-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r10
- (no CPE)range: < 5.5.0-r5
- (no CPE)range: < 5.5.0-r6
- (no CPE)range: < 22.0.3-r2
- (no CPE)range: < 23.0.2-r1
- (no CPE)range: < 4.14.5-r0
- (no CPE)range: < 4.14.5-r0
- (no CPE)range: < 4.106.3-r5
- (no CPE)range: < 2.15.0-r12
- (no CPE)range: < 9.0.4-r3
- (no CPE)range: < 12.2.0-r2
- (no CPE)range: < 11.10.1-r0
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 3.5.0-r5
- (no CPE)range: < 5.14.3-r7
- (no CPE)range: < 3.223.0-r1
- (no CPE)range: < 43.38.0-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r10
- (no CPE)range: < 5.5.0-r5
- (no CPE)range: < 22.0.3-r2
- (no CPE)range: < 23.0.2-r1
- (no CPE)range: < 7.5.8
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-83g3-92jg-28cxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26960ghsaADVISORY
- github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384ghsax_refsource_MISCWEB
- github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499fghsax_refsource_MISCWEB
- github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.