Description
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Published: 2026-02-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file read/write
Action: Upgrade
AI Analysis

Impact

This vulnerability in node-tar allows an attacker who can supply a crafted archive to create a hardlink within the extraction directory that points to a file outside the extraction root, permitting arbitrary reading and writing of files as the extracting user. The flaw bypasses the library’s path validation, turning normal archive extraction into a direct filesystem access primitive. Consequently, the attacker could gain read or write access to any file on the filesystem that the extracting process can read or write, potentially compromising confidentiality, integrity, or system stability. Based on the description, it is inferred that the attack could be remote if the extraction routine is invoked in a service that accepts user-supplied archives.

Affected Systems

The issue affects the node-tar package developed by isaacs and distributed via npm. Versions 7.5.7 and earlier are vulnerable; the problem was fixed in version 7.5.8 and later. All Node.js applications that use node-tar to extract tar archives and rely on default options are potentially impacted.

Risk and Exploitability

The CVSS score of 7.1 classifies the vulnerability as high severity. The EPSS score is below 1 %, indicating a low probability of exploitation in the wild, and there is no current listing in the CISA KEV catalog. The attack vector requires the attacker to provide a malicious archive to the extraction routine—so it is a local or potentially remote threat if extraction occurs in a service that accepts user-supplied archives. Based on the description, it is inferred that the exploit may be possible in remote contexts where the extraction routine is exposed to untrusted input.

Generated by OpenCVE AI on April 18, 2026 at 11:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade node-tar to version 7.5.8 or later in all projects to apply the fix.
  • If an upgrade cannot be performed immediately, avoid the default extraction options that allow hardlink creation; explicitly disable hardlinks or use safer extraction flags if available.
  • Audit any existing tar extraction routines to ensure they do not expose known vulnerable versions, and restrict filesystem permissions to minimize potential impact.

Generated by OpenCVE AI on April 18, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4552-1 node-tar security update
Github GHSA Github GHSA GHSA-83g3-92jg-28cx Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
History

Sat, 21 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 20 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:*

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Isaacs
Isaacs tar
Vendors & Products Isaacs
Isaacs tar

Fri, 20 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Title node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Isaacs Tar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:35:27.586Z

Reserved: 2026-02-16T22:20:28.611Z

Link: CVE-2026-26960

cve-icon Vulnrichment

Updated: 2026-02-20T15:29:19.255Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T02:16:53.883

Modified: 2026-02-20T19:24:16.537

Link: CVE-2026-26960

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-20T01:07:52Z

Links: CVE-2026-26960 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses