CVE-2026-23745

EUVD-2026-2909
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
isaacstar
𝑥
< 7.5.3
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-tar
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
6.0.5+ds1+~cs11.3.9-1+deb11u3
fixed
forky
6.2.1+ds1+~cs6.1.13-10
fixed
sid
6.2.1+ds1+~cs6.1.13-10
fixed
trixie
6.2.1+~cs7.0.8-1+deb13u1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
sgx-common
RHEL 9
0:2.26-7.el9
fixed
sgx-libs
RHEL 9
0:2.26-7.el9
fixed
sgx-mpa
RHEL 9
0:2.26-7.el9
fixed
sgx-pccs
RHEL 9
0:2.26-7.el9
fixed
sgx-pccs-admin
RHEL 9
0:2.26-7.el9
fixed
sgx-pckid-tool
RHEL 9
0:2.26-7.el9
fixed
tdx-qgs
RHEL 9
0:2.26-7.el9
fixed
Common Weakness Enumeration
References
https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97