CVE-2026-24842
HIGH
GHSA-34x7-hfp2-rc4v
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
4Description
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Analysis
node-tar before version 7.5.7 contains a path traversal vulnerability where inconsistent path resolution between validation and execution logic allows attackers to bypass security checks and create hardlinks to arbitrary files outside the intended extraction directory. Public exploit code exists for this vulnerability, affecting Node.js applications that process untrusted TAR archives. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications and dependencies using node-tar and identify those running versions prior to 7.5.7. Within 7 days: Apply the patch by upgrading node-tar to version 7.5.7 or later across all development, staging, and production environments. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today