CVE-2026-26960 Overview
CVE-2026-26960 is a path traversal vulnerability (CWE-22) in node-tar, a full-featured Tar library for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root. This vulnerability enables arbitrary file read and write operations as the extracting user, effectively bypassing path protections and turning archive extraction into a direct filesystem access primitive.
Critical Impact
This hardlink attack bypasses path protections in node-tar, allowing attackers to read or write arbitrary files outside the intended extraction directory. Applications that extract untrusted tar archives are at risk of complete filesystem compromise.
Affected Products
- isaacs tar (node-tar) versions ≤ 7.5.7
- Node.js applications using vulnerable node-tar versions
- Build systems and CI/CD pipelines processing untrusted tar archives
Discovery Timeline
- 2026-02-20 - CVE-2026-26960 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-26960
Vulnerability Analysis
This vulnerability exploits a flaw in how node-tar handles hardlinks during archive extraction. The library's path resolution logic fails to properly validate hardlink targets, allowing a malicious archive to create links that escape the extraction root directory. The attack requires local access (a crafted tar archive must be processed) and user interaction (the victim must extract the archive), but requires no special privileges to exploit.
The core issue stems from insufficient validation when processing hardlink entries in tar archives. While node-tar implements path traversal protections for regular file entries, the hardlink handling code contained a logic error that allowed bypass of these security checks.
Root Cause
The root cause is an improper path resolution in the symlink error handling code within src/unpack.ts. The original code incorrectly resolved paths relative to the target t instead of the current working directory cwd, which allowed hardlinks to reference paths outside the extraction boundary. This is a classic symlink/hardlink attack pattern where path validation occurs before the link is resolved, enabling escape from sandboxed directories.
Attack Vector
An attacker crafts a malicious tar archive containing a hardlink entry that points to a sensitive file outside the intended extraction directory (e.g., /etc/passwd, SSH keys, or application configuration files). When a victim application extracts this archive using the vulnerable node-tar library with default options, the hardlink is created successfully, bypassing path traversal protections. The attacker can then read sensitive data or overwrite critical files by manipulating the linked content.
// Vulnerable code path - incorrect path resolution
// Source: https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384
if (er) return done()
if (st.isSymbolicLink()) {
return onError(
- new SymlinkError(t, path.resolve(t, parts.join('/'))),
+ new SymlinkError(t, path.resolve(cwd, parts.join('/'))),
)
}
}
The fix changes the path resolution from path.resolve(t, parts.join('/')) to path.resolve(cwd, parts.join('/')), ensuring proper validation against the extraction root.
Detection Methods for CVE-2026-26960
Indicators of Compromise
- Unexpected hardlinks appearing in extraction directories pointing to sensitive system files
- Log entries showing tar extraction operations followed by access to files outside the extraction path
- Modifications to critical system files such as /etc/passwd, SSH authorized_keys, or application configuration files coinciding with tar extraction activities
Detection Strategies
- Monitor file system operations during tar extraction for hardlink creation to paths outside the expected extraction directory
- Implement integrity monitoring on sensitive files and directories to detect unauthorized modifications
- Use software composition analysis (SCA) tools to identify applications using vulnerable node-tar versions (≤7.5.7)
- Review application logs for tar extraction operations processing untrusted or user-supplied archives
Monitoring Recommendations
- Deploy file integrity monitoring (FIM) on critical system files and application configuration directories
- Audit npm package dependencies across development and production environments for node-tar version tracking
- Configure alerts for unusual file access patterns following tar extraction operations
- Monitor for new hardlink creation events in temporary and extraction directories
How to Mitigate CVE-2026-26960
Immediate Actions Required
- Update node-tar to version 7.5.8 or later immediately across all affected applications
- Audit all applications that process tar archives from untrusted sources
- Review extracted content for unexpected hardlinks or symlinks before processing
- Implement application-level validation of archive contents before extraction
Patch Information
The vulnerability has been fixed in node-tar version 7.5.8. The security patch improves the symlink error path accuracy by correctly resolving paths relative to the current working directory rather than the target path. For detailed patch information, see the GitHub Security Advisory GHSA-83g3-92jg-28cx.
The fix is available in the following commits:
- Primary fix commit - Prevents writing linkpaths through symlinks
- Path resolution fix - Improves UnpackSync symlink error path accuracy
Workarounds
- If immediate patching is not possible, avoid extracting tar archives from untrusted sources
- Implement strict input validation to reject archives containing hardlinks or symlinks
- Run extraction operations in isolated environments (containers, sandboxes) with minimal filesystem access
- Use the noChmod, noMtime, and custom filter options to restrict extraction behavior
# Verify node-tar version and update if vulnerable
npm list tar
npm update tar@latest
# Or explicitly install the patched version
npm install tar@7.5.8
# For yarn users
yarn upgrade tar@7.5.8
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
