Listen to this Post
CVE-2026-29786 is a high-severity vulnerability in the `node-tar` library, a package used for creating and extracting Tar archives in Node.js . The flaw resides in how the library handles hardlink entries during the extraction process with tar.x(). Prior to version 7.5.10, the validation logic for a hardlink’s target path (linkpath) used different path resolution semantics than the function that actually creates the hardlink on the filesystem . Specifically, the security check resolved the `linkpath` relative to the entry’s parent directory within the archive, while the hardlink creation resolved it relative to the extraction destination directory (cwd) . This discrepancy allows an attacker to craft a malicious archive containing a hardlink with a drive-relative target, such as `C:../target.txt` on Windows. The initial validation incorrectly deems the path safe because it doesn’t start with `../` when resolved against the entry’s directory. However, during extraction, the path is resolved against the destination directory, causing the `..` sequence to traverse out of the intended extraction folder and overwrite arbitrary files elsewhere on the system .
Platform: node-tar library
Version: before 7.5.10
Vulnerability: Drive-relative hardlink escape
Severity: High (8.2 CVSS4.0)
date: March 7 2026
Prediction: Already Patched 7.5.10
What Undercode Say:
Analytics
This vulnerability is significant due to the ubiquitous nature of node-tar, which is used directly and indirectly by countless npm packages, build tools, and CI/CD pipelines . A successful exploit allows for arbitrary file overwrite, which can lead to remote code execution, data corruption, or system compromise depending on the privileges of the process performing the extraction . The attack vector is remote, requiring only that a user or automated process extracts a maliciously crafted tarball . The simplicity of the exploit and the widespread use of the library increase its potential impact across the JavaScript and Node.js ecosystems.
Bash Commands and Codes
Check for the vulnerable `tar` package in a project:
Check if node-tar is installed and its version npm list tar Check the version of tar in the package-lock.json grep '"tar"' package-lock.json
Update to the patched version:
Install the latest patched version npm install tar@latest Or explicitly install the patched version npm install [email protected] Update and save to package.json npm install [email protected] --save Update all dependencies, including nested ones npm update tar --depth=10
Example of a malicious TAR creation (PoC concept):
// create-malicious-tar.js (Conceptual example)
const fs = require('fs');
function tarHeader(name, type, linkpath = '') { / ... header creation logic ... / }
// Craft an entry for a hardlink that points outside the target directory
// The linkpath uses a drive-relative path to bypass simple checks
fs.writeFileSync('malicious.tar', Buffer.concat([
tarHeader('a/b/c/d/', 'dir'), // Create a deep directory
tarHeader('a/b/c/d/x', 'link', 'C:../target.txt'), // Hardlink with malicious target
Buffer.alloc(1024) // End of archive marker
]));
console.log('Malicious archive created.');
Note: This code is for educational purposes to illustrate the structure of an exploit archive.
How Exploit:
- Craft Archive: The attacker creates a TAR archive with a hardlink entry. The `linkpath` field is set to a drive-relative path like `C:../secret.txt` or a deeply nested relative path like `../../../../etc/passwd` .
- Bypass Validation: The vulnerable `node-tar` code checks the `linkpath` for path traversal by resolving it relative to the hardlink’s own location within the archive (e.g., `a/deep/path/` + `../../../../etc/passwd` might resolve to
etc/passwd, which passes the check) . - Create Hardlink: When creating the file, the library resolves the `linkpath` relative to the extraction destination (
cwd). The path traversal sequence then operates on the real filesystem, escaping the destination folder . - Overwrite File: The newly created hardlink points to a file outside the extraction directory (e.g., `/etc/passwd` or
C:\target.txt). Any subsequent write operation to the extracted hardlink file will modify the target file on the host system .
Protection from this CVE
Immediate Upgrade: Update the `tar` library to version 7.5.10 or later .
Dependency Scanning: Use `npm audit` or `yarn audit` to identify and fix projects that depend on vulnerable versions.
Filter Links: As a workaround, if upgrading immediately is impossible, programmatically filter out and refuse to extract all `Hardlink` and `SymbolicLink` entries from untrusted archives .
Principle of Least Privilege: Ensure that the process extracting tarballs runs with the minimum necessary filesystem permissions to limit the damage of a successful file overwrite .
Sandboxing: Extract untrusted archives in isolated environments like containers or sandboxed directories to prevent access to the main system’s files .
Impact
A successful exploit allows an attacker to:
Arbitrary File Overwrite: Modify or replace any file that the extraction process has permissions to write .
Remote Code Execution (RCE): Overwrite critical system files (e.g., ~/.ssh/authorized_keys, `/etc/cron.d/` scripts, application code) to execute malicious code .
Privilege Escalation: If the extraction process runs with high privileges, the attacker could overwrite system configuration files (e.g., /etc/passwd, /etc/sudoers) to gain administrative control .
Data Exfiltration: If the application serves the content of extracted files, a hardlink pointing to a sensitive file (e.g., /etc/shadow) could lead to a direct data leak .
Supply Chain Attacks: Malicious tarballs could be published to package registries, infecting developers and build pipelines that automatically extract them .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

