CVE-2026-24842

HIGH

Isaacs Tar < 7.5.7 - Path Traversal

Title source: rule

Description

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

References (2)

[Exploit, Vendor Advisory] https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v

[Patch] https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46

View Patch ZIP pw:eip

Scores

CVSS v3 8.2

EPSS 0.0002

EPSS Percentile 6.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-59 CWE-22

Status published

Products (2)

isaacs/tar < 7.5.7

npm/tar 0 - 7.5.7npm

Published Jan 28, 2026

Tracked Since Feb 18, 2026