CVE-2026-24842 Overview
node-tar, a Tar archive library for Node.js, contains a path traversal vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory.
Critical Impact
Attackers can exploit this vulnerability to read or manipulate sensitive files outside the intended extraction directory by crafting malicious TAR archives with specially constructed hardlink entries containing path traversal sequences.
Affected Products
- node-tar versions prior to 7.5.7
- Applications using node-tar for TAR archive extraction
- npm packages depending on vulnerable node-tar versions
Discovery Timeline
- 2026-01-28 - CVE CVE-2026-24842 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2026-24842
Vulnerability Analysis
This vulnerability (CWE-22: Path Traversal) stems from an inconsistency between how node-tar validates hardlink paths during security checks versus how it actually processes them during extraction. The security validation routine and the extraction logic interpret path components containing .. sequences differently, creating a window for exploitation.
When processing hardlink entries in a TAR archive, the library performs a security check to prevent path traversal attacks. However, the path resolution semantics used in the validation differ from those used when the hardlink is actually created. An attacker can exploit this semantic mismatch by crafting TAR archives where the hardlink path passes the security check but resolves to a location outside the extraction directory during actual creation.
Root Cause
The root cause lies in the src/unpack.ts file where the path sanitization logic for hardlinks did not properly account for the entry type when processing paths containing .. sequences. The security check and the actual file operation used inconsistent path resolution methods, allowing specially crafted paths to bypass validation.
Attack Vector
The attack requires user interaction where a victim must extract a maliciously crafted TAR archive. An attacker creates a TAR archive containing hardlink entries with carefully constructed paths that exploit the semantic mismatch between the security check and the extraction logic. When the archive is extracted:
- The malicious hardlink entry passes the initial path traversal security check
- During actual hardlink creation, the path resolves differently
- The hardlink is created pointing to a file outside the extraction directory
- The attacker can then read or modify sensitive files through the hardlink
field: 'path' | 'linkpath',
): boolean {
const p = entry[field]
+ const { type } = entry
if (!p || this.preservePaths) return true
const parts = p.split('/')
Source: GitHub Commit Update
Detection Methods for CVE-2026-24842
Indicators of Compromise
- TAR archives containing hardlink entries with .. path components
- Unexpected hardlinks created outside designated extraction directories
- File access anomalies indicating reading of sensitive configuration or system files
- Unusual node-tar extraction operations targeting sensitive file paths
Detection Strategies
- Monitor for TAR archive extraction operations that result in file access outside expected directories
- Implement file integrity monitoring on sensitive configuration files and directories
- Scan incoming TAR archives for hardlink entries containing path traversal sequences
- Review application logs for extraction errors or warnings from node-tar
Monitoring Recommendations
- Enable verbose logging for applications using node-tar to capture extraction operations
- Implement runtime application self-protection (RASP) to detect path traversal attempts
- Monitor npm dependency trees for vulnerable node-tar versions using npm audit
- Set up alerts for any file operations outside expected extraction boundaries
How to Mitigate CVE-2026-24842
Immediate Actions Required
- Update node-tar to version 7.5.7 or later immediately
- Run npm audit to identify applications using vulnerable node-tar versions
- Review all dependencies that may transitively include node-tar
- Scan recently extracted TAR archives for signs of exploitation
Patch Information
The vulnerability has been addressed in node-tar version 7.5.7. The fix ensures that the path sanitization logic properly considers the entry type when validating hardlink paths, ensuring consistent path resolution between security checks and actual file operations. The patch is available via the GitHub Security Advisory and can be applied by updating to the latest version.
Workarounds
- Enable the preservePaths: false option (default) and carefully review extraction targets
- Implement additional path validation before extracting TAR archives from untrusted sources
- Use containerization or sandboxing to limit the impact of potential path traversal attacks
- Restrict file system permissions for processes performing TAR extraction
# Configuration example
# Update node-tar to patched version
npm update tar@7.5.7
# Audit for vulnerable dependencies
npm audit --production
# Force update all tar dependencies
npm update tar --depth 99
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
