CVE-2026-26960

EUVD-2026-8399

20.02.2026, 02:16

node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.1 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
isaacs	tar	𝑥 < 7.5.8

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

node-tar

bookworm	no-dsa
bullseye	vulnerable
bullseye (security)	6.0.5+ds1+~cs11.3.9-1+deb11u3 fixed
forky	6.2.1+ds1+~cs6.1.13-10 fixed
sid	6.2.1+ds1+~cs6.1.13-10 fixed
trixie	6.2.1+~cs7.0.8-1+deb13u1 fixed

Known Exploits!

https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Vulnerability Media Exposure

[GERMAN] Atlassian Produkte (Bamboo, Bitbucket, Confluence, Crucible, Fisheye und Jira): Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Atlassian Bamboo, Atlassian Bitbucket, Atlassian Confluence, Atlassian Crucible, Atlassian Fisheye und Atlassian Jira ausnutzen, um beliebigen Programmcode auszuführen, um einen Denial of Service Angriff durchzuführen, um Informationen offenzulegen, um einen Cross-Site Scripting Angriff durchzuführen, und um Sicherheitsvorkehrungen zu umgehen.
Published: 2026-05-19T22:00:00+00:00

References

https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384

https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f

https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx