Is Node.js affected by CVE-2026-23745?

Organizations using node-tar should be aware of moderate risk from CVE-2026-23745, a path traversal vulnerability rated CVSS 6.1. This could allow unauthorized file access. Proof-of-concept code is publicly available.

CVE-2026-23745

Q: How to fix CVE-2026-23745?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review file handling controls.

MEDIUM

2026-01-16 [email protected]

GHSA-8qq5-rm4j-mr97

6.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 18, 2026 - 16:20 vuln.today

Public exploit code

Patch Released

Feb 18, 2026 - 16:20 nvd

Patch available

CVE Published

Jan 16, 2026 - 22:16 nvd

MEDIUM 6.1

Description

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Analysis

node-tar versions 7.5.2 and earlier fail to properly sanitize link paths in tar archives when the default secure mode is enabled, allowing attackers to extract files outside the intended directory through malicious hardlinks and symlinks. Public exploit code exists for this vulnerability, which affects Node.js applications and related products including D-Link and Tar utilities. …

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Review file handling controls.

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +30

POC: +20

Vendor Status

CVE-2026-23745 vulnerability details – vuln.today

Back

CVE-2026-23745

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Vendor Status

Share

CVE-2026-23745

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Vendor Status

Share

External POC / Exploit Code