CVE-2026-24842
HIGHisaacs/tar < 7.5.7 - Path Traversal via Hardlink Entry Mismatch
Title source: llmDescription
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
References (2)
Core 2
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
Scores
CVSS v3
8.2
EPSS
0.0052
EPSS Percentile
39.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-59
CWE-22
Status
published
Products (2)
isaacs/tar
< 7.5.7
npm/tar
0 - 7.5.7npm
Published
Jan 28, 2026
Tracked Since
Feb 18, 2026