High severityNVD Advisory· Published Mar 7, 2026· Updated Mar 9, 2026
node-tar: Hardlink Path Traversal via Drive-Relative Linkpath
CVE-2026-29786
Description
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarnpm | < 7.5.10 | 7.5.10 |
Affected products
34- osv-coords33 versionspkg:apk/chainguard/actions-runnerpkg:apk/chainguard/graalvm-25-ce-nodejspkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-bitnamipkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/lernapkg:apk/chainguard/node-gyppkg:apk/chainguard/npmpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/prismpkg:apk/chainguard/pulumi-language-nodejspkg:apk/chainguard/redisinsightpkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/sqlpadpkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/wazuh-dashboardpkg:apk/chainguard/wazuh-dashboard-fipspkg:apk/wolfi/lernapkg:apk/wolfi/node-gyppkg:apk/wolfi/npmpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/prismpkg:apk/wolfi/pulumi-language-nodejspkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/sqlpadpkg:apk/wolfi/tileserver-glpkg:npm/tar
< 2.332.0-r2+ 32 more
- (no CPE)range: < 2.332.0-r2
- (no CPE)range: < 25.0.2-r5
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 8.18.8-r11
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.0.7-r1
- (no CPE)range: < 12.2.0-r2
- (no CPE)range: < 11.11.0-r2
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 5.14.3-r9
- (no CPE)range: < 3.224.0-r2
- (no CPE)range: < 3.2.0-r1
- (no CPE)range: < 43.77.8-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r13
- (no CPE)range: < 5.5.0-r8
- (no CPE)range: < 5.5.0-r9
- (no CPE)range: < 4.14.5-r0
- (no CPE)range: < 4.14.5-r0
- (no CPE)range: < 9.0.7-r1
- (no CPE)range: < 12.2.0-r2
- (no CPE)range: < 11.11.0-r2
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 5.14.3-r9
- (no CPE)range: < 3.224.0-r2
- (no CPE)range: < 43.77.8-r1
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r13
- (no CPE)range: < 5.5.0-r8
- (no CPE)range: < 7.5.10
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-qffp-2rhf-9h96ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29786ghsaADVISORY
- github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9fghsax_refsource_MISCWEB
- github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.