node-tar, a widely used tar implementation for Node.js, can be deceived into creating a hardlink that points outside the intended extraction directory when a drive-relative link target such as C:../target.txt is provided. This flaw allows an attacker to overwrite arbitrary files on the filesystem during normal tar.x() extraction. The weakness is a form of path traversal (CWE-22) coupled with improper path handling on systems that recognize drive-relative syntax (CWE-59). The resulting impact is corruption or replacement of files that exist outside the extraction home, which under elevated privileges could render the system inoperable or compromise data integrity.

Any Node.js project that depends on the isaacs node-tar library before version 7.5.10 is potentially affected. The issue manifests in environments where tar extraction is performed by the application, including local scripts, build processes, or automated deployment pipelines. Because the hardlink target uses a drive-relative path, the bug is primarily relevant on platforms that support such syntax, with Windows being the most likely target. All installations of node-tar older than 7.5.10 should be considered at risk until the library is upgraded.

The vulnerability carries a CVSS score of 8.2, indicating a high severity that encompasses confidentiality, integrity, and availability concerns. The EPSS score is reported as less than 1%, suggesting a very low current probability of exploitation. It is not listed in the CISA KEV catalog, meaning no widespread exploitation has been observed yet. However, the attack vector is inferred to require delivery of a malicious tar archive to a process that performs extraction, which is plausible in many development and deployment scenarios. If the extraction occurs with elevated privileges, the attacker could achieve local privilege escalation or complete system compromise by overwriting critical system or application files.