CVE-2026-26960

Name of the Vulnerable Software and Affected Versions node-tar versions 7.5.7 and below node-tar version 7.5.8

Description The node-tar package contains a flaw where an attacker-controlled archive, when extracted using default options, can create a hardlink inside the extraction directory that points to a file outside the extraction root. This allows for arbitrary file read and write access as the user performing the extraction. The issue arises because path protections are bypassed, effectively turning archive extraction into a direct filesystem access operation. The bypass chain involves the use of symlinks and a hardlink to achieve this. Specifically, the vulnerability stems from string-based linkpath checks that do not resolve symlinks on disk, combined with how hardlink targets are resolved and the placement of parent directory safety checks. A proof-of-concept demonstrates the ability to read and write to files outside the intended extraction directory.

Recommendations Versions prior to 7.5.8 should be updated to version 7.5.8 or later.