CVE-2026-23745

EUVD-2026-2909
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.1 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Affected Products (NVD)
VendorProductVersion
isaacstar
𝑥
< 7.5.3
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
Red HatRed Hat Enterprise Linux 10
0:2.26-7.el10 ≤
𝑥
< *
ADP
Red HatRed Hat Enterprise Linux 9
0:2.26-7.el9 ≤
𝑥
< *
ADP
Red HatNetwork Observability \(NETOBSERV\) 1.11.2
1771227650 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 2.25
1772093424 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift AI 3.3
1779189627 ≤
𝑥
< *
ADP
Red HatRed Hat OpenShift Dev Spaces 3.27
1774451954 ≤
𝑥
< *
ADP
Red HatRed Hat Trusted Artifact Signer 1.2
1770739056 ≤
𝑥
< *
ADP
Red HatRed Hat Trusted Artifact Signer 1.3
1770107452 ≤
𝑥
< *
ADP
Debian logo
Debian Releases
Debian Product
Codename
node-tar
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
6.0.5+ds1+~cs11.3.9-1+deb11u3
fixed
forky
6.2.1+ds1+~cs6.1.13-10
fixed
sid
7.5.19+~4.0.1-1
fixed
trixie
6.2.1+~cs7.0.8-1+deb13u1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
sgx-common
RHEL 9
0:2.26-7.el9
fixed
sgx-libs
RHEL 9
0:2.26-7.el9
fixed
sgx-mpa
RHEL 9
0:2.26-7.el9
fixed
sgx-pccs
RHEL 9
0:2.26-7.el9
fixed
sgx-pccs-admin
RHEL 9
0:2.26-7.el9
fixed
sgx-pckid-tool
RHEL 9
0:2.26-7.el9
fixed
tdx-qgs
RHEL 9
0:2.26-7.el9
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
nodejs20
Amazon Linux 2023
1:20.20.0-1.amzn2023.0.2
fixed
nodejs20-debuginfo
Amazon Linux 2023
1:20.20.0-1.amzn2023.0.2
fixed
nodejs20-debugsource
Amazon Linux 2023
1:20.20.0-1.amzn2023.0.2
fixed
nodejs20-devel
Amazon Linux 2023
1:20.20.0-1.amzn2023.0.2
fixed
nodejs20-docs
Amazon Linux 2023
1:20.20.0-1.amzn2023.0.2
fixed
nodejs20-full-i18n
Amazon Linux 2023
1:20.20.0-1.amzn2023.0.2
fixed
nodejs20-libs
Amazon Linux 2023
1:20.20.0-1.amzn2023.0.2
fixed
nodejs20-libs-debuginfo
Amazon Linux 2023
1:20.20.0-1.amzn2023.0.2
fixed
nodejs20-npm
Amazon Linux 2023
1:10.8.2-1.20.20.0.1.amzn2023.0.2
fixed
nodejs22
Amazon Linux 2023
1:22.22.0-1.amzn2023.0.2
fixed
nodejs22-debuginfo
Amazon Linux 2023
1:22.22.0-1.amzn2023.0.2
fixed
nodejs22-debugsource
Amazon Linux 2023
1:22.22.0-1.amzn2023.0.2
fixed
nodejs22-devel
Amazon Linux 2023
1:22.22.0-1.amzn2023.0.2
fixed
nodejs22-docs
Amazon Linux 2023
1:22.22.0-1.amzn2023.0.2
fixed
nodejs22-full-i18n
Amazon Linux 2023
1:22.22.0-1.amzn2023.0.2
fixed
nodejs22-libs
Amazon Linux 2023
1:22.22.0-1.amzn2023.0.2
fixed
nodejs22-libs-debuginfo
Amazon Linux 2023
1:22.22.0-1.amzn2023.0.2
fixed
nodejs22-npm
Amazon Linux 2023
1:10.9.4-1.22.22.0.1.amzn2023.0.2
fixed
nodejs24
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.1
fixed
nodejs24-debuginfo
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.1
fixed
nodejs24-debugsource
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.1
fixed
nodejs24-devel
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.1
fixed
nodejs24-docs
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.1
fixed
nodejs24-full-i18n
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.1
fixed
nodejs24-libs
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.1
fixed
nodejs24-libs-debuginfo
Amazon Linux 2023
1:24.14.0-1.amzn2023.0.1
fixed
nodejs24-npm
Amazon Linux 2023
1:11.9.0-1.24.14.0.1.amzn2023.0.1
fixed
v8-11.3-devel
Amazon Linux 2023
3:11.3.244.8-1.20.20.0.1.amzn2023.0.2
fixed
v8-12.4-devel
Amazon Linux 2023
3:12.4.254.21-1.22.22.0.1.amzn2023.0.2
fixed
v8-13.6-devel
Amazon Linux 2023
3:13.6.233.17-1.24.14.0.1.amzn2023.0.1
fixed