anonhaven
Ad

CVE-2026-23745

HIGH CVSS 4.0: 8.2 EPSS 0.01%
Updated Jan 20, 2026
Isaacs
Parameter Value
CVSS 8.2 (HIGH)
Fixed In 7.5.3
Type CWE-22 (Path Traversal)
Vendor Isaacs
Public PoC No

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets.

This vulnerability is fixed in 7.5.3.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
Active
User action required

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
Low
Partial data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-22 Path Traversal

Vulnerable Products

isaacs:node-tar

References 2

https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face4…
security-advisories@github.com
https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-31802

Isaacs

8.2

CVE-2026-26960

Isaacs

7.1

CVE-2025-64756

Isaacs

7.5

CVE-2025-64118

Isaacs

6.1