Node Tar, Path Traversal, CVE-2026-24842 (High)

Listen to this Post

The vulnerability in `tar.extract()` of the Node `tar` library allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, even with default options that should prevent path traversal. This is achieved through a crafted chain of two symlinks and one hardlink that bypasses the library’s path sanitization. The root cause is that linkpath checks are string-based and do not resolve symlinks on disk for hardlink target safety. The `STRIPABSOLUTEPATH` logic fails to catch these crafted sequences. When extracting a hardlink, the target is resolved using `path.resolve(cwd, entry.linkpath)` followed by fs.link(target, destination). Parent directory safety checks are applied to the destination path of the extracted entry, but not to the resolved hardlink target path. This means a file named `exfil` can be created inside the extraction root but hardlinked to an external sensitive file. Successful exploitation results in the extracted file sharing the same inode as the external target, allowing both reading and writing of files outside the intended directory with the privileges of the extracting user .
Platform: Node Tar
Version: <7.5.7
Vulnerability: Path Traversal
Severity: High (CVSS 8.2)
Date: 2026-01-28

Prediction: Patch 2026-01-29

What Undercode Say:

Analytics:

The vulnerability exists due to a mismatch between the path resolution used for security checks and the actual hardlink creation logic . The `linkpath` of hardlink entries is not sufficiently validated, allowing absolute or traversal sequences to remain. The `fs.link` operation then directly creates a link to an external file, bypassing the intended extraction root restriction .

How Exploit:

An attacker crafts a tar archive with specific entries.

Check current version
npm list tar
Example structure of a malicious archive creation (conceptual)
tar -cf exploit.tar --hardlink /path/to/target/file exfil
The exploit relies on specific symlink chains to bypass checks, not just a direct hardlink.

Protection:

Immediately upgrade to version 7.5.7 or later.

Upgrade to patched version
npm install [email protected]
Verify the update
npm list tar
Audit project for vulnerability
npm audit fix

If unable to patch, avoid extracting untrusted tar archives. Implement strict validation of archive contents before extraction, rejecting any entries with absolute paths or `..` sequences in link fields .

Impact:

Arbitrary file read and write by the extracting user. An attacker can read sensitive files (e.g., configuration files, keys) or overwrite critical system or application files (e.g., /etc/passwd, application binaries) accessible to the user running the extraction process. This can lead to privilege escalation, data corruption, or remote code execution depending on the compromised files .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top