CVE-2026-29786

CVSS v4.0

8.2

High

Vector

AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L

Name of the Vulnerable Software and Affected Versions node-tar versions prior to 7.5.10

Description The node-tar package contains a flaw where it can be tricked into creating a hardlink that points outside the extraction directory. This is achieved by using a drive-relative link target, such as 'C:../target.txt', which allows for file overwrite outside the current working directory during normal tar.x() extraction. The extraction logic fails to properly handle '..' segments before stripping absolute roots, leading to the creation of the malicious hardlink. This issue is reachable when extracting attacker-controlled tar archives. The impact of this issue is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction.

Recommendations Versions prior to 7.5.10 should be updated to version 7.5.10 or later.

Exploit

Fix

Link Following

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59CWE-22

Related Identifiers

AZL-79553

AZL-79556

BDU:2026-06967

CLEANSTART-2026-AD27625

CLEANSTART-2026-CB77162

CLEANSTART-2026-CE10526

CLEANSTART-2026-DU32240

CLEANSTART-2026-DV49099

CLEANSTART-2026-GS57401

CLEANSTART-2026-NB51079

CLEANSTART-2026-OW14933

CLEANSTART-2026-SW34937

CLEANSTART-2026-TZ34913

CVE-2026-29786

GHSA-QFFP-2RHF-9H96

Affected Products

Red Os

Node-Tar

CVE-2026-29786

Weakness Enumeration

Related Identifiers

Affected Products

References · 211