VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-jj22-rfbv-bkg3

Essentials
Severities (23)
References (15)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-jj22-rfbv-bkg3
Aliases	CVE-2026-26960 GHSA-83g3-92jg-28cx
Summary	Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction ### Summary `tar.extract()` in Node `tar` allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options. This enables arbitrary file read and write as the extracting user (no root, no chmod, no `preservePaths`). Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. ### Details The bypass chain uses two symlinks plus one hardlink: 1. `a/b/c/up -> ../..` 2. `a/b/escape -> c/up/../..` 3. `exfil` (hardlink) -> `a/b/escape/<target-relative-to-parent-of-extract>` Why this works: - Linkpath checks are string-based and do not resolve symlinks on disk for hardlink target safety. - See `STRIPABSOLUTEPATH` logic in: - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:255` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:268` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:281` - Hardlink extraction resolves target as `path.resolve(cwd, entry.linkpath)` and then calls `fs.link(target, destination)`. - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:566` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:567` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:703` - Parent directory safety checks (`mkdir` + symlink detection) are applied to the destination path of the extracted entry, not to the resolved hardlink target path. - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:617` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:619` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:27` - `../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:101` As a result, `exfil` is created inside extraction root but linked to an external file. The PoC confirms shared inode and successful read+write via `exfil`. ### PoC [hardlink.js](https://github.com/user-attachments/files/25240082/hardlink.js) Environment used for validation: - Node: `v25.4.0` - tar: `7.5.7` - OS: macOS Darwin 25.2.0 - Extract options: defaults (`tar.extract({ file, cwd })`) Steps: 1. Prepare/locate a `tar` module. If `require('tar')` is not available locally, set `TAR_MODULE` to an absolute path to a tar package directory. 2. Run: ```bash TAR_MODULE="$(cd '../tar-audit-setuid - CVE/node_modules/tar' && pwd)" node hardlink.js ``` 3. Expected vulnerable output (key lines): ```text same_inode=true read_ok=true write_ok=true result=VULNERABLE ``` Interpretation: - `same_inode=true`: extracted `exfil` and external secret are the same file object. - `read_ok=true`: reading `exfil` leaks external content. - `write_ok=true`: writing `exfil` modifies external file. ### Impact Vulnerability type: - Arbitrary file read/write via archive extraction path confusion and link resolution. Who is impacted: - Any application/service that extracts attacker-controlled tar archives with Node `tar` defaults. - Impact scope is the privileges of the extracting process user. Potential outcomes: - Read sensitive files reachable by the process user. - Overwrite writable files outside extraction root. - Escalate impact depending on deployment context (keys, configs, scripts, app data).
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26960.json
epss	5e-05	https://api.first.org/data/v1/epss?cve=CVE-2026-26960
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2026-26960
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2026-26960
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2026-26960
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2026-26960
epss	7e-05	https://api.first.org/data/v1/epss?cve=CVE-2026-26960
cvssv3.1	7.1	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-83g3-92jg-28cx
cvssv3.1	7.1	https://github.com/isaacs/node-tar
generic_textual	HIGH	https://github.com/isaacs/node-tar
cvssv3.1	7.1	https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384
generic_textual	HIGH	https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384
ssvc	Track	https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384
cvssv3.1	7.1	https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f
generic_textual	HIGH	https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f
ssvc	Track	https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f
cvssv3.1	7.1	https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
cvssv3.1_qr	HIGH	https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
generic_textual	HIGH	https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
ssvc	Track	https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
cvssv3.1	7.1	https://nvd.nist.gov/vuln/detail/CVE-2026-26960
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-26960

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26960.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-26960
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26960
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/isaacs/node-tar
		https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384
		https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f
		https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
		https://nvd.nist.gov/vuln/detail/CVE-2026-26960
1129378		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129378
2441253		https://bugzilla.redhat.com/show_bug.cgi?id=2441253
GHSA-83g3-92jg-28cx		https://github.com/advisories/GHSA-83g3-92jg-28cx
RHSA-2026:5447		https://access.redhat.com/errata/RHSA-2026:5447
RHSA-2026:6192		https://access.redhat.com/errata/RHSA-2026:6192
RHSA-2026:6428		https://access.redhat.com/errata/RHSA-2026:6428

No exploits are available.

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26960.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/isaacs/node-tar

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:17Z/ Found at https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:17Z/ Found at https://github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-20T15:29:17Z/ Found at https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-26960

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.00263
EPSS Score	5e-05
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:52:37.409757+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-83g3-92jg-28cx/GHSA-83g3-92jg-28cx.json	38.0.0