CVE-2026-29786 in node-tar
Summary
by MITRE • 03/07/2026
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/02/2026
The vulnerability identified as CVE-2026-29786 affects the node-tar library, a widely used tar archive handling component in Node.js environments. This library serves as a critical dependency for numerous applications that require tar file manipulation, making the security implications particularly significant. The flaw resides in how the library processes symbolic links and hard links during extraction operations, specifically when encountering drive-relative path specifications that can bypass directory traversal restrictions.
The technical implementation of this vulnerability stems from insufficient validation of link targets during tar extraction processes. When processing archive files containing hardlinks with drive-relative targets such as C:../target.txt, the node-tar library fails to properly sanitize or validate these paths before creating the actual hardlink. This validation gap allows attackers to craft malicious tar archives that can create hardlinks pointing outside the intended extraction directory, effectively bypassing the current working directory restrictions that should contain all file operations within the designated target area.
The operational impact of this vulnerability extends beyond simple file overwrite scenarios, as it enables potential privilege escalation and data corruption attacks. An attacker who can influence the contents of a tar archive being processed by an affected node-tar version can manipulate the extraction process to overwrite files in arbitrary locations on the filesystem, potentially targeting system-critical files or user data. This type of vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and represents a classic example of path traversal exploitation in archive processing contexts.
Security practitioners should note that this vulnerability operates at the intersection of several ATT&CK techniques including T1059.007 for command and script interpreter execution, T1070.006 for file permissions modification, and T1566 for malicious file execution through social engineering or supply chain compromise. The attack vector typically involves compromising a tar archive through supply chain attacks, web application vulnerabilities, or by tricking users into processing malicious archives. Organizations using node-tar in their applications should prioritize immediate patching to version 7.5.10 or later, as this update implements proper path validation and sanitization for all link targets. Additional mitigations include implementing strict file permission controls on extraction directories, monitoring for unauthorized hardlink creation, and employing automated security scanning tools that can detect potentially malicious tar archives before processing.