CVE-2026-23745

MEDIUM

tar < 7.5.3 - Arbitrary File Overwrite and Symlink Poisoning via Hardlink and SymbolicLink Entries

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-23745. PoCs published by Jvr2022, XZ1r0, Novem13th.

AI-analyzed exploit summary This PoC demonstrates CVE-2026-23745, a path traversal vulnerability in node-tar (<7.5.2) that allows arbitrary file overwrite via unsanitized absolute paths in tar archive link fields. The exploit generates a malicious archive and verifies the vulnerability by overwriting a local file.

Description

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Exploits (3)

nomisec WORKING POC 21 stars
by Jvr2022 · poc
https://github.com/Jvr2022/CVE-2026-23745

This PoC demonstrates CVE-2026-23745, a path traversal vulnerability in node-tar (<7.5.2) that allows arbitrary file overwrite via unsanitized absolute paths in tar archive link fields. The exploit generates a malicious archive and verifies the vulnerability by overwriting a local file.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: node-tar <7.5.2
No auth needed
Prerequisites: Vulnerable version of node-tar installed · Ability to execute JavaScript on the target system
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/web/CVE-2026-23745

This repository contains a functional PoC for CVE-2026-23745, demonstrating an arbitrary file overwrite vulnerability in node-tar versions <7.5.3. The exploit leverages unsanitized absolute paths in tar headers to bypass extraction root restrictions.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: node-tar <7.5.3
No auth needed
Prerequisites: node-tar version <7.5.3 installed
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WORKING POC
by Novem13th · poc
https://github.com/Novem13th/CVE-2026-23745-via-graphql-DEMO

This repository contains a functional exploit for CVE-2026-23745, demonstrating an arbitrary file overwrite vulnerability via malicious tar archive extraction in a GraphQL endpoint. The PoC includes both JavaScript and Python implementations to create and trigger the exploit.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: GraphQL endpoint with tar extraction functionality
No auth needed
Prerequisites: Access to a vulnerable GraphQL endpoint · Ability to send crafted tar archives
devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.1
EPSS 0.0001
EPSS Percentile 1.4%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (2)
isaacs/tar < 7.5.3
npm/tar 0 - 7.5.3npm
Published Jan 16, 2026
Tracked Since Feb 18, 2026