CVE-2026-29786 Overview
CVE-2026-29786 is a path traversal vulnerability in node-tar, a full-featured Tar library for Node.js. Prior to version 7.5.10, the library can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt. This enables file overwrite outside the current working directory during normal tar.x() extraction operations.
Critical Impact
Attackers can leverage maliciously crafted tar archives to overwrite arbitrary files outside the intended extraction directory, potentially leading to code execution or system compromise.
Affected Products
- isaacs tar (versions prior to 7.5.10)
- node-tar npm package for Node.js
- Applications using vulnerable node-tar versions for archive extraction
Discovery Timeline
- 2026-03-07 - CVE CVE-2026-29786 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-29786
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exists in how node-tar handles drive-relative paths on Windows systems. The vulnerability stems from insufficient sanitization of path components before creating hardlinks during archive extraction. When processing tar entries, the library failed to properly parse and strip the root portion from drive-relative paths like C:../target.txt before sanitizing parent directory references (..).
The attack requires local access and some user interaction, as a victim must extract a maliciously crafted tar archive. The vulnerability enables high-integrity impact through arbitrary file overwrites, which could allow an attacker to overwrite configuration files, scripts, or binaries with attacker-controlled content.
Root Cause
The root cause lies in the stripAbsolutePath function within src/strip-absolute-path.ts and the path handling logic in src/unpack.ts. The original implementation did not properly handle Windows drive-relative paths (e.g., C:../foo) before sanitizing directory traversal sequences. These paths would bypass the sanitization logic, allowing the .. components to escape the extraction directory.
Attack Vector
An attacker can create a malicious tar archive containing a hardlink entry with a drive-relative path target such as C:../../../target.txt. When a victim extracts this archive using a vulnerable version of node-tar via tar.x() or similar extraction methods, the hardlink will be created pointing to a file outside the intended extraction directory. This allows the attacker to overwrite arbitrary files accessible by the user running the extraction.
// Security patch in src/strip-absolute-path.ts
// Source: https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f
// explicitly if it's the first character.
// drive-specific relative paths on Windows get their root stripped off even
// though they are not absolute, so `c:../foo` becomes ['c:', '../foo']
-export const stripAbsolutePath = (path: string) => {
+export const stripAbsolutePath = (path: string): [string, string] => {
let r = ''
let parsed = parse(path)
// Security patch in src/unpack.ts
// Source: https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f
const { type } = entry
if (!p || this.preservePaths) return true
- const parts = p.split('/')
+ // strip off the root
+ const [root, stripped] = stripAbsolutePath(p)
+ const parts = stripped.replace(/\\/g, '/').split('/')
if (
parts.includes('..') ||
Detection Methods for CVE-2026-29786
Indicators of Compromise
- Unexpected file modifications or creations outside of expected extraction directories
- Tar archive extraction operations creating files in parent directories or system paths
- Hardlinks pointing to locations outside the working directory after archive extraction
- Suspicious tar archives containing entries with drive-relative paths like C:../
Detection Strategies
- Monitor file system activity during tar extraction operations for writes outside expected directories
- Implement static analysis scanning of npm dependencies to identify vulnerable node-tar versions
- Use software composition analysis (SCA) tools to detect tar package versions prior to 7.5.10
- Review application logs for archive extraction errors or unexpected path resolutions
Monitoring Recommendations
- Enable file integrity monitoring on critical system files and configuration directories
- Implement logging for all tar extraction operations in Node.js applications
- Monitor npm audit outputs for known vulnerabilities in project dependencies
- Configure endpoint detection for suspicious hardlink creation patterns
How to Mitigate CVE-2026-29786
Immediate Actions Required
- Update node-tar to version 7.5.10 or later immediately
- Audit applications for direct or transitive dependencies on vulnerable node-tar versions
- Review recently extracted tar archives for potential exploitation indicators
- Implement file integrity checks on systems that have processed untrusted tar archives
Patch Information
The vulnerability has been patched in node-tar version 7.5.10. The fix modifies the path handling logic to properly strip the root component from drive-relative paths before sanitizing directory traversal sequences. The patch is available via the GitHub commit. For detailed information, refer to the GitHub Security Advisory GHSA-qffp-2rhf-9h96.
Workarounds
- Avoid extracting tar archives from untrusted sources until the patch is applied
- Run archive extraction in sandboxed or containerized environments with limited file system access
- Validate tar archive contents before extraction using pre-processing checks
- Set preservePaths: false explicitly when calling tar extraction functions
# Configuration example
# Update node-tar to patched version
npm update tar@7.5.10
# Alternatively, force the specific version in package.json
npm install tar@^7.5.10 --save
# Verify installed version
npm list tar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
