[HIGH] Node-tar Vulnerable To Arbitrary File Creation/Overwrite Via Hardlink Path Traversal

Summary node-tar contains a vulnerability where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. Jan 16, 2026the node-tar library (<= 7.5.2) fails to sanitize the linkpath of link (hardlink) and symboliclink entries when preservepaths is false (the default secure behavior). 3 days agovulnerability details :

Cve-2026-24842 node-tar vulnerable to arbitrary file creation/overwrite via hardlink path traversal node-tar,a tar for node.js, contains a vulnerability in. Jan 19, 2026learn how cve-2026-23745 allows arbitrary file overwrites via node-tar path traversal. Discover technical exploits, iocs, and how to patch node-tar v7.5.3.

Conclusion the node-tar package contains a critical vulnerability (cve-2026-24842) that can lead to arbitrary file creation and overwriting through hardlink path traversal. 4 days agoa flaw was found in node-tar, a node.js module for handling tar archives. This vulnerability allows a remote attacker to bypass path traversal protections by crafting a malicious.

Jan 17, 2026the vulnerability in node-tar library versions up to 7.5.2 arises from insufficient sanitization of the linkpath field for hardlink and symboliclink entries during tar archive extraction. 3 days agonode-tar contains a vulnerability where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows specially crafted tar archives to bypass path traversal protections and create hardlinks pointing to files outside the intended extraction directory.

This vulnerability in the node-tar library allows for arbitrary file overwrite and symlink poisoning by failing to sanitize linkpath for hardlink and symbolic link entries.