CVE-2026-26960
HIGH
GHSA-83g3-92jg-28cx
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
4Description
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Analysis
Path traversal in node-tar versions 7.5.7 and earlier allows local attackers to read and write arbitrary files outside the extraction directory by crafting malicious tar archives containing hardlinks that bypass extraction path validation. Public exploit code exists for this vulnerability, which affects default extraction configurations in Node.js and related Tar implementations. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all applications and dependencies using node-tar versions 7.5.7 and below; assess which systems process untrusted tar archives. Within 7 days: Apply the available patch to all affected instances and conduct regression testing. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today