CVE-2026-29786 — Path Traversal in Node-tar

CWE-22 — Path Traversal CWE-59 — Link Following9 documents8 sources

Severity

8.2HIGHNVD

EPSS

0.0%

top 99.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Isaacs Node-tar Isaacs TAR GNU TAR

Timeline

PublishedMar 7

Latest updateMar 10

Description

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L

Affected Packages4 packages

▶CVEListV5isaacs/node-tar< 7.5.10

▶Debianisaacs/node-tar< 6.2.1+ds1+~cs6.1.13-8

▶npmgnu/tar< 7.5.10

▶NVDisaacs/tar< 7.5.10

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2026-29786: node-tar is a full-featured Tar for Node↗2026-03-07

▶

CVEList

node-tar: Hardlink Path Traversal via Drive-Relative Linkpath↗2026-03-07

▶

OSV

tar has Hardlink Path Traversal via Drive-Relative Linkpath↗2026-03-05

▶

GHSA

tar has Hardlink Path Traversal via Drive-Relative Linkpath↗2026-03-05

▶

📋Vendor Advisories

Microsoft

node-tar: Hardlink Path Traversal via Drive-Relative Linkpath↗2026-03-10

▶

Red Hat

node-tar: hardlink path traversal via drive-relative linkpath↗2026-03-07

▶

Debian

CVE-2026-29786: node-tar - node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-29786 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶