CVE-2026-23745 in node-tar
Summary
by MITRE • 01/17/2026
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/19/2026
The node-tar library represents a critical security vulnerability classified as CVE-2026-23745 that affects versions 7.5.2 and earlier. This vulnerability specifically targets the library's handling of symbolic links and hard links during archive extraction processes, creating a significant pathway for malicious actors to bypass intended security restrictions. The issue manifests when the preservePaths option is set to false, which happens to be the default secure configuration, making this vulnerability particularly dangerous as it exploits the very settings that users expect to provide protection.
The technical flaw within node-tar stems from inadequate sanitization of linkpath values during the extraction process. When processing tar archives containing hardlink or symbolic link entries, the library fails to properly validate or sanitize the target paths of these links. This omission allows attackers to craft malicious archives containing specially constructed link paths that can bypass the intended extraction root directory restrictions. The vulnerability specifically affects the handling of absolute symbolic link targets and hardlink paths that point outside the designated extraction boundaries, creating opportunities for arbitrary file overwrites and symlink poisoning attacks.
The operational impact of this vulnerability extends beyond simple file system manipulation, creating serious security implications for any application or system that relies on node-tar for archive processing. Attackers can exploit this weakness to overwrite critical system files, inject malicious code into existing files, or create symbolic links that point to sensitive locations within the file system. The vulnerability enables what security researchers classify as path traversal and privilege escalation attacks, where the attacker can manipulate the file system in ways that should be prevented by default security configurations. This flaw essentially undermines the fundamental security assumptions that developers make when using the library with its default settings.
The vulnerability aligns with CWE-22 Path Traversal and CWE-352 Cross-Site Request Forgery patterns, representing a classic case of insufficient input validation and inadequate path sanitization. From an ATT&CK framework perspective, this vulnerability maps to T1059 Command and Scripting Interpreter and T1078 Valid Accounts, as attackers can leverage the ability to overwrite files or create malicious symlinks to establish persistence or execute malicious code. Organizations using node-tar in their applications face a significant risk of unauthorized file system modifications, particularly in environments where archive extraction occurs with elevated privileges or in automated processing pipelines. The security implications are compounded when the library is used in web applications or services that process user-uploaded archives, as this creates direct attack vectors for remote exploitation.
Mitigation strategies should focus on immediate upgrade to node-tar version 7.5.3 or later, which contains the necessary patches to address the path sanitization issues. Security teams should also implement additional monitoring for suspicious file system activities, particularly around hardlink and symbolic link creation during archive extraction processes. Organizations should review their codebases to ensure that any custom implementations or wrappers around node-tar properly validate input archives before processing. The fix implemented in version 7.5.3 demonstrates proper input sanitization and validation of link paths, ensuring that absolute paths and cross-directory references are properly restricted during extraction operations. Additionally, organizations should consider implementing runtime protections such as sandboxed extraction environments and file system access controls to further reduce the potential impact of any remaining vulnerabilities in their systems.