VYPR
High severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026

node-tar: Hardlink Path Traversal via Drive-Relative Linkpath

CVE-2026-29786

Description

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tarnpm
< 7.5.107.5.10

Affected products

34

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.