CVE-2026-29786 HIGH

CVE-2026-29786: node-tar: Hardlink Path Traversal via Drive-Relative Linkpath

Vendor Isaacs
Product node-tar
Weakness CWE-22 · Path traversal
Published March 7, 2026
Last update June 30, 2026

CVSS base score

8.2/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L

What the vulnerability does

01Description

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.

Key dates

02Disclosure timeline

March 7, 2026 CVE published
June 30, 2026 Record updated