CVE-2026-29786
published 2026-03-07CVE-2026-29786: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory…
PriorityP428medium6.3CVSS 3.1
AVLACLPRNUIRSCCNIHAN
EPSS
0.41%
32.6th percentile
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar | < node-tar 6.2.1+ds1+~cs6.1.13-8 (forky) | node-tar 6.2.1+ds1+~cs6.1.13-8 (forky) |
| gnu | tar | >= 0 < 7.5.10 | 7.5.10 |
| isaacs | node-tar | < 7.5.10 | 7.5.10 |
| isaacs | node-tar | >= 0 < 6.2.1+ds1+~cs6.1.13-8 | 6.2.1+ds1+~cs6.1.13-8 |
| isaacs | tar | < 7.5.10 | 7.5.10 |
| msrc | azl3_tar_1.35-2_on_azure_linux_3.0 | — | — |
| msrc | cbl2_tar_1.34-3_on_cbl_mariner_2.0 | — | — |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
nvdv4.08.2HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.2HIGH
vendor_debian8.2HIGH
vendor_msrc8.2HIGH
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-29786: node-tar is a full-featured Tar for Node
osv·2026-03-07·CVSS 8.2
CVE-2026-29786 [HIGH] CVE-2026-29786: node-tar is a full-featured Tar for Node
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
OSV
tar has Hardlink Path Traversal via Drive-Relative Linkpath
osv·2026-03-05
CVE-2026-29786 [HIGH] tar has Hardlink Path Traversal via Drive-Relative Linkpath
tar has Hardlink Path Traversal via Drive-Relative Linkpath
### Summary
`tar` (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as `C:../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction.
### Details
The extraction logic in `Unpack[STRIPABSOLUTEPATH]` checks for `..` segments *before* stripping absolute roots.
What happens with `linkpath: "C:../target.txt"`:
1. Split on `/` gives `['C:..', 'target.txt']`, so `parts.includes('..')` is false.
2. `stripAbsolutePath()` removes `C:` and rewrites the value to `../target.txt`.
3. Hardlink creation resolves this against extraction `cwd` and escapes one directory up.
4. Writing through the extracted hardlink overwrites the
GHSA
tar has Hardlink Path Traversal via Drive-Relative Linkpath
ghsa·2026-03-05
CVE-2026-29786 [HIGH] CWE-22 tar has Hardlink Path Traversal via Drive-Relative Linkpath
tar has Hardlink Path Traversal via Drive-Relative Linkpath
### Summary
`tar` (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as `C:../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction.
### Details
The extraction logic in `Unpack[STRIPABSOLUTEPATH]` checks for `..` segments *before* stripping absolute roots.
What happens with `linkpath: "C:../target.txt"`:
1. Split on `/` gives `['C:..', 'target.txt']`, so `parts.includes('..')` is false.
2. `stripAbsolutePath()` removes `C:` and rewrites the value to `../target.txt`.
3. Hardlink creation resolves this against extraction `cwd` and escapes one directory up.
4. Writing through the extracted hardlink overwrites the
Microsoft
node-tar: Hardlink Path Traversal via Drive-Relative Linkpath
vendor_msrc·2026-03-10·CVSS 8.2
CVE-2026-29786 [HIGH] CWE-22 node-tar: Hardlink Path Traversal via Drive-Relative Linkpath
node-tar: Hardlink Path Traversal via Drive-Relative Linkpath
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Red Hat
node-tar: hardlink path traversal via drive-relative linkpath
vendor_redhat·2026-03-07·CVSS 8.2
CVE-2026-29786 [HIGH] CWE-22 node-tar: hardlink path traversal via drive-relative linkpath
node-tar: hardlink path traversal via drive-relative linkpath
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
A flaw was found in node-tar. A hardlink that points outside the extraction directory can be created by using a drive-relative link target such as C:../target.txt, allowing a file overwrite outside the current working directory during normal tar.x() extraction.
Statement: To exploit this flaw, an attacker must be able to supply a specially crafted archive to be processed by an application
Debian
CVE-2026-29786: node-tar - node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be...
vendor_debian·2026·CVSS 8.2
CVE-2026-29786 [HIGH] CVE-2026-29786: node-tar - node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be...
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 6.2.1+ds1+~cs6.1.13-8)
sid: resolved (fixed in 6.2.1+ds1+~cs6.1.13-8)
trixie: open
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-59465 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-59465 [HIGH] CVE-2025-59465 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59465 :
npm vulnerability analysis and mitigation
HTTP/2 HEADERS
HPACK
TLSSocket
ECONNRESET
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
Source : NVD
## 7.5
Score
Published January 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
npm
Node.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
nodejs-devel
nodejs22
Sources
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 15, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 19, 2026
Alpine 3.21 Severity HIGH Has Fix Added at: Apr 06, 2026
Alpine 3.22 Severity HIGH Has Fix Added at: Ja
Wiz
CVE-2025-59466 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-59466 [HIGH] CVE-2025-59466 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59466 :
npm vulnerability analysis and mitigation
async_hooks.createHook()
process.on('uncaughtException')
AsyncLocalStorage
async_hooks.createHook()
Source : NVD
## 7.5
Score
Published January 20, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
npm
Node.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nodejs20-docs
nodejs:20::nodejs
Sources
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 15, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 19, 2026
Alpine 3.21 Severity HIGH Has Fix Added at: Apr 06, 2026
Alpine 3.22 Severity HIGH Has Fix Added at: Jan 23, 2026
Alpine 3.23, ed
Wiz
CVE-2025-55131 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-55131 [HIGH] CVE-2025-55131 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-55131 :
npm vulnerability analysis and mitigation
vm
Buffer.alloc
TypedArray
Uint8Array
Source : NVD
## 7.1
Score
Published January 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
npm
Node.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nodejs20-libs-debuginfo
nodejs22-libs-debuginfo
Sources
NVD
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 15, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 19, 2026
Alpine 3.21 Severity HIGH Has Fix Added at: Apr 06, 2026
Alpine 3.22 Severity HIGH Has Fix Added at: Jan 23, 2026
Alpine 3.23, edge Severity HIGH Has Fix Added at: Jan 18
Wiz
CVE-2026-29786 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-29786 [HIGH] CVE-2026-29786 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29786 :
JavaScript vulnerability analysis and mitigation
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Source : NVD
## 8.2
Score
Published March 7, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
npm
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
nodejs20-debuginfo
Sources
NV
Wiz
CVE-2026-21637 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-21637 [HIGH] CVE-2026-21637 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21637 :
npm vulnerability analysis and mitigation
pskCallback
ALPNCallback
Source : NVD
## 7.5
Score
Published January 20, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
npm
Node.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nodejs-docs
nodejs:24::nodejs-libs
Sources
AlmaLinux 8 Severity HIGH Has Fix Added at: Feb 15, 2026
AlmaLinux 9 Severity HIGH Has Fix Added at: Feb 19, 2026
Alpine 3.21 Severity HIGH Has Fix Added at: Apr 06, 2026
Alpine 3.22 Severity HIGH Has Fix Added at: Jan 23, 2026
Alpine 3.23, edge Severity HIGH Has Fix Added at: Jan 18, 2026
CBL-Mariner 3.0 Severity
https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9fhttps://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96https://access.redhat.com/security/cve/CVE-2026-29786https://bugzilla.redhat.com/show_bug.cgi?id=2445476https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29786.json
2026-03-07
Published