CVE-2026-24842
published 2026-01-28CVE-2026-24842: node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution…
PriorityP348high8.2CVSS 3.1
AVNACLPRNUIRSCCHILAN
EPSS
0.54%
41.3th percentile
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar | < node-tar 6.2.1+ds1+~cs6.1.13-10 (forky) | node-tar 6.2.1+ds1+~cs6.1.13-10 (forky) |
| gnu | tar | >= 0 < 7.5.7 | 7.5.7 |
| isaacs | node-tar | < 7.5.7 | 7.5.7 |
| isaacs | node-tar | >= 0 < 6.2.1+ds1+~cs6.1.13-10 | 6.2.1+ds1+~cs6.1.13-10 |
| isaacs | tar | < 7.5.7 | 7.5.7 |
| npmjs | npm | 0 – 11.8.0 | — |
CVSS provenance
nvdv3.18.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
ghsa8.2HIGH
osv8.2HIGH
vendor_debian8.2LOW
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
isaacs node-tar up to 7.5.6 path traversal (GHSA-34x7-hfp2-rc4v / Nessus ID 297040)
vuldb·2026-07-01·CVSS 8.2
CVE-2026-24842 [HIGH] isaacs node-tar up to 7.5.6 path traversal (GHSA-34x7-hfp2-rc4v / Nessus ID 297040)
A vulnerability, which was classified as critical, has been found in isaacs node-tar up to 7.5.6. Affected is an unknown function. Performing a manipulation results in path traversal.
This vulnerability is known as CVE-2026-24842. Remote exploitation of the attack is possible. No exploit is available.
It is advisable to upgrade the affected component.
OSV
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
osv·2026-01-28
CVE-2026-24842 [HIGH] node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
### Summary
node-tar contains a vulnerability where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory.
### Details
The vulnerability exists in `lib/unpack.js`. When extracting a hardlink, two functions handle the linkpath differently:
**Security check in `[STRIPABSOLUTEPATH]`:**
```javascript
const entryDir = path.posix.dirname(entry.path);
const resolved = path.posix.normalize(path.posix.join(entryDir, linkpath));
if (resolved.startsWith('../')) { /* blo
OSV
CVE-2026-24842: node-tar,a Tar for Node
osv·2026-01-28·CVSS 8.2
CVE-2026-24842 [HIGH] CVE-2026-24842: node-tar,a Tar for Node
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
GHSA
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
ghsa·2026-01-28
CVE-2026-24842 [HIGH] CWE-22 node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
### Summary
node-tar contains a vulnerability where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory.
### Details
The vulnerability exists in `lib/unpack.js`. When extracting a hardlink, two functions handle the linkpath differently:
**Security check in `[STRIPABSOLUTEPATH]`:**
```javascript
const entryDir = path.posix.dirname(entry.path);
const resolved = path.posix.normalize(path.posix.join(entryDir, linkpath));
if (resolved.startsWith('../')) { /* blo
OSV
Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
osv·2026-01-23·CVSS 8.2
CVE-2026-0775 [HIGH] Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
### Duplicate Advisory
This advisory has been withdrawn because describes a dependency bump and therefore, per [CVE CNA rule 4.1.12](https://www.cve.org/ResourcesSupport/AllResources/CNARules/#section_4-1_Vulnerability_Determination), is a duplicate of GHSA-34x7-hfp2-rc4v/CVE-2026-24842. Additionally, per https://github.com/npm/cli/issues/8939#issuecomment-3862719883, npm cli should not be listed as an affected product. This link is maintained to preserve external references.
### Original Description
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An at
GHSA
Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
ghsa·2026-01-23·CVSS 8.2
CVE-2026-0775 [HIGH] CWE-732 Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
### Duplicate Advisory
This advisory has been withdrawn because describes a dependency bump and therefore, per [CVE CNA rule 4.1.12](https://www.cve.org/ResourcesSupport/AllResources/CNARules/#section_4-1_Vulnerability_Determination), is a duplicate of GHSA-34x7-hfp2-rc4v/CVE-2026-24842. Additionally, per https://github.com/npm/cli/issues/8939#issuecomment-3862719883, npm cli should not be listed as an affected product. This link is maintained to preserve external references.
### Original Description
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An at
Red Hat
node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
vendor_redhat·2026-01-28·CVSS 8.2
CVE-2026-24842 [HIGH] CWE-59 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
A flaw was found in node-tar, a Node.js module for handling TAR archives. This vulnerability allows a remote attacker to bypass path traversal protections by crafting a malicious TAR archive. The security check for hardlink entries uses different path resolution
Debian
CVE-2026-24842: node-tar - node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 ...
vendor_debian·2026·CVSS 8.2
CVE-2026-24842 [HIGH] CVE-2026-24842: node-tar - node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 ...
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Scope: local
bookworm: resolved
bullseye: open
forky: resolved (fixed in 6.2.1+ds1+~cs6.1.13-10)
sid: resolved (fixed in 6.2.1+ds1+~cs6.1.13-10)
trixie: resolved
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-24842 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-24842 [HIGH] CVE-2026-24842 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24842 :
JavaScript vulnerability analysis and mitigation
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Source : NVD
## 8.2
Score
Published January 28, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation P
Bugzilla
CVE-2026-24842 tar: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal [fedora-42]
bugzilla·2026-01-28·CVSS 8.2
CVE-2026-24842 [HIGH] CVE-2026-24842 tar: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal [fedora-42]
CVE-2026-24842 tar: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently
Bugzilla
CVE-2026-24842 onnxruntime: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check [fedora-42]
bugzilla·2026-01-28·CVSS 8.2
CVE-2026-24842 [HIGH] CVE-2026-24842 onnxruntime: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check [fedora-42]
CVE-2026-24842 onnxruntime: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a
Bugzilla
CVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
bugzilla·2026-01-28·CVSS 8.2
CVE-2026-24842 [HIGH] CVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
CVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Bugzilla
CVE-2026-24842 kf6-breeze-icons: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal [fedora-42]
bugzilla·2026-01-28·CVSS 8.2
CVE-2026-24842 [HIGH] CVE-2026-24842 kf6-breeze-icons: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal [fedora-42]
CVE-2026-24842 kf6-breeze-icons: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in
Bugzilla
CVE-2026-24842 openvino: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check [fedora-42]
bugzilla·2026-01-28·CVSS 8.2
CVE-2026-24842 [HIGH] CVE-2026-24842 openvino: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check [fedora-42]
CVE-2026-24842 openvino: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a cur
https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4vhttps://access.redhat.com/errata/RHSA-2026:18480https://access.redhat.com/errata/RHSA-2026:18868https://access.redhat.com/errata/RHSA-2026:2900https://access.redhat.com/errata/RHSA-2026:33371https://access.redhat.com/errata/RHSA-2026:5447https://access.redhat.com/errata/RHSA-2026:6192https://access.redhat.com/security/cve/CVE-2026-24842https://bugzilla.redhat.com/show_bug.cgi?id=2433645https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24842.json
2026-01-28
Published