CVE-2026-23745
EUVD-2026-290916.01.2026, 22:16
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| isaacs | tar | 𝑥 < 7.5.3 |
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 10 | 0:2.26-7.el10 ≤ 𝑥 < * | ADP |
| Red Hat | Red Hat Enterprise Linux 9 | 0:2.26-7.el9 ≤ 𝑥 < * | ADP |
| Red Hat | Network Observability \(NETOBSERV\) 1.11.2 | 1771227650 ≤ 𝑥 < * | ADP |
| Red Hat | Red Hat OpenShift AI 2.25 | 1772093424 ≤ 𝑥 < * | ADP |
| Red Hat | Red Hat OpenShift AI 3.3 | 1779189627 ≤ 𝑥 < * | ADP |
| Red Hat | Red Hat OpenShift Dev Spaces 3.27 | 1774451954 ≤ 𝑥 < * | ADP |
| Red Hat | Red Hat Trusted Artifact Signer 1.2 | 1770739056 ≤ 𝑥 < * | ADP |
| Red Hat | Red Hat Trusted Artifact Signer 1.3 | 1770107452 ≤ 𝑥 < * | ADP |
Debian Releases
Red Hat Enterprise Linux Releases
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| nodejs20 |
| ||
| nodejs20-debuginfo |
| ||
| nodejs20-debugsource |
| ||
| nodejs20-devel |
| ||
| nodejs20-docs |
| ||
| nodejs20-full-i18n |
| ||
| nodejs20-libs |
| ||
| nodejs20-libs-debuginfo |
| ||
| nodejs20-npm |
| ||
| nodejs22 |
| ||
| nodejs22-debuginfo |
| ||
| nodejs22-debugsource |
| ||
| nodejs22-devel |
| ||
| nodejs22-docs |
| ||
| nodejs22-full-i18n |
| ||
| nodejs22-libs |
| ||
| nodejs22-libs-debuginfo |
| ||
| nodejs22-npm |
| ||
| nodejs24 |
| ||
| nodejs24-debuginfo |
| ||
| nodejs24-debugsource |
| ||
| nodejs24-devel |
| ||
| nodejs24-docs |
| ||
| nodejs24-full-i18n |
| ||
| nodejs24-libs |
| ||
| nodejs24-libs-debuginfo |
| ||
| nodejs24-npm |
| ||
| v8-11.3-devel |
| ||
| v8-12.4-devel |
| ||
| v8-13.6-devel |
|
References