CVE-2026-23745

Name of the Vulnerable Software and Affected Versions node-tar versions <= 7.5.2

Description The node-tar library fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false, which is the default secure behavior. This allows malicious archives to bypass extraction root restrictions, potentially leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. The vulnerability exists within the src/unpack.ts file, specifically in the [HARDLINK] and [SYMLINK] methods. A malicious archive can create a hardlink to a sensitive file on the host and potentially overwrite it, if file permissions allow. Additionally, the library allows the creation of symbolic links pointing to sensitive absolute system paths or traversing paths, even with secure extraction defaults.

Recommendations Update to node-tar version 7.5.3 or later.