cbcvebase.
CVE-2026-24842
published 2026-01-28

CVE-2026-24842: node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution…

PriorityP348high8.2CVSS 3.1
AVNACLPRNUIRSCCHILAN
EPSS
0.54%
41.3th percentile
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiannode-tar< node-tar 6.2.1+ds1+~cs6.1.13-10 (forky)node-tar 6.2.1+ds1+~cs6.1.13-10 (forky)
gnutar>= 0 < 7.5.77.5.7
isaacsnode-tar< 7.5.77.5.7
isaacsnode-tar>= 0 < 6.2.1+ds1+~cs6.1.13-106.2.1+ds1+~cs6.1.13-10
isaacstar< 7.5.77.5.7
npmjsnpm0 – 11.8.0

CVSS provenance

nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
ghsa8.2HIGH
osv8.2HIGH
vendor_debian8.2LOW
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.