CVE-2026-24842

CVSS v2.0

8.5

High

Vector

AV:N/AC:L/Au:N/C:C/I:P/A:N

Name of the Vulnerable Software and Affected Versions node-tar versions prior to 7.5.7

Description The node-tar software has an issue where the security check for hardlink entries uses different path resolution logic than the actual hardlink creation process. This discrepancy allows a malicious TAR archive to circumvent path traversal protections and create hardlinks to files outside the intended extraction directory.

Recommendations Update to version 7.5.7 or later.

Exploit

Fix

Link Following

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59CWE-22

Related Identifiers

ALSA-2026:18480

ALSA-2026:18868

BDU:2026-00891

CLEANSTART-2026-AD27625

CLEANSTART-2026-CE10526

CLEANSTART-2026-DV49099

CLEANSTART-2026-NB51079

CLEANSTART-2026-OW14933

CLEANSTART-2026-SW34937

CLEANSTART-2026-TZ34913

CVE-2026-24842

GHSA-34X7-HFP2-RC4V

OPENSUSE-SU-2026:10410-1

RHSA-2026:18868

Affected Products

Confluence

Rocky Linux

Node-Tar

CVE-2026-24842

Weakness Enumeration

Related Identifiers

Affected Products

References · 218