Description
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Published: 2026-01-16
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Overwrite and Symlink Poisoning
Action: Patch
AI Analysis

Impact

The node-tar library, used for extracting Tar archives in Node.js environments, does not properly sanitize the linkpath of Link (hardlink) and SymbolicLink entries when the preservePaths option is set to false. This flaw permits a malicious archive to create or overwrite files outside the intended extraction directory, enabling arbitrary file overwrite and symlink poisoning. The vulnerability is a classic path traversal issue (CWE‑22) and can compromise confidentiality, integrity, and availability of the host system if exploited.

Affected Systems

Any application incorporating node‑tar version 7.5.2 or earlier on Node.js is affected. The flaw is present in the isaacs:node-tar package, and versions up to and including 7.5.2 lack the necessary path sanitization.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity potential. The EPSS score is listed as less than 1%, suggesting low current exploitation probability, but the flaw is not included in the CISA KEV catalog. Exploitation requires delivery of a crafted tar archive to a vulnerable application. If the application processes untrusted tar files—whether locally by a user or remotely through a web service—the attacker can cause arbitrary file overwrite or symlink poisoning, potentially gaining elevated privileges or disabling services. The attack vector is likely local or remote file upload, depending on how the application ingests archives.

Generated by OpenCVE AI on April 18, 2026 at 05:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the node-tar library to version 7.5.3 or later, which contains the patch that correctly sanitizes Link and SymbolicLink entries.
  • If upgrading is not immediately possible, restrict usage of node-tar to trusted archives only and ensure that preservePaths is set to true to enforce extraction path boundaries.
  • Consider running the archive extraction process in an isolated or permission‑limited environment (e.g., a sandboxed container) to contain any potential damage from corrupted archives.

Generated by OpenCVE AI on April 18, 2026 at 05:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8qq5-rm4j-mr97 node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
History

Wed, 18 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Tue, 20 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

threat_severity

Important

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Isaacs
Isaacs tar
Vendors & Products Isaacs
Isaacs tar

Fri, 16 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Title node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Isaacs Tar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T14:53:24.513Z

Reserved: 2026-01-15T15:45:01.958Z

Link: CVE-2026-23745

cve-icon Vulnrichment

Updated: 2026-01-20T14:53:15.313Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T22:16:26.830

Modified: 2026-02-18T16:20:07.823

Link: CVE-2026-23745

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-16T22:00:08Z

Links: CVE-2026-23745 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:45:38Z

Weaknesses