CVE-2026-24842 HIGH

CVE-2026-24842: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal

Vendor Isaacs
Product node-tar
Weakness CWE-22 · Path traversal
Published January 28, 2026
Last update June 30, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

Key dates

02Disclosure timeline

January 28, 2026 CVE published
June 30, 2026 Record updated