CVE-2026-23745

MEDIUM

node-tar <=7.5.2 - Buffer Overflow

Title source: llm

Description

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Exploits (2)

nomisec WORKING POC 21 stars

by Jvr2022 · poc

https://github.com/Jvr2022/CVE-2026-23745

View Code ZIP pw:eip

nomisec WORKING POC

by Novem13th · poc

https://github.com/Novem13th/CVE-2026-23745-via-graphql-DEMO

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e

[Vendor Advisory] https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97

Scores

CVSS v3 6.1

EPSS 0.0001

EPSS Percentile 0.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Details

CWE

CWE-22

Status published

Products (2)

isaacs/tar < 7.5.3

npm/tar 0 - 7.5.3npm

Published Jan 16, 2026

Tracked Since Feb 18, 2026