DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23745: Tar-pit of Doom: Escaping the Root in node-tar

#security #cve #cybersecurity

Tar-pit of Doom: Escaping the Root in node-tar

Vulnerability ID: CVE-2026-23745
CVSS Score: 8.2
Published: 2026-01-16

A critical path traversal vulnerability in the ubiquitous node-tar library allows malicious archives to bypass extraction root restrictions. By manipulating hardlink and symlink targets with absolute paths, attackers can overwrite arbitrary system files or poison symbolic links, effectively turning a standard unzip operation into a weaponized file system assault.

TL;DR

node-tar <= 7.5.2 failed to sanitize the targets of hardlinks and symlinks. If an archive contains a link pointing to an absolute path (e.g., /etc/passwd), node-tar would happily create it, ignoring the intended extraction directory. This leads to Arbitrary File Overwrite and potential RCE via config file manipulation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22 (Path Traversal)
  • CVSS 4.0: 8.2 (High)
  • Attack Vector: Local (Archive Upload)
  • Affected Components: unpack.ts (Link/SymbolicLink handling)
  • Impact: Arbitrary File Overwrite / Symlink Poisoning
  • Exploit Status: Proof of Concept Available

Affected Systems

  • Node.js applications using node-tar
  • CI/CD pipelines processing untrusted archives
  • Server-side applications with file upload/extraction features
  • node-tar: <= 7.5.2 (Fixed in: 7.5.3)

Code Analysis

Commit: 340eb28

Fix: strip absolute paths from link targets

@@ -150,7 +150,8 @@
-      if (!this[CHECKPATH](entry))
+      if (
+        !this[STRIPABSOLUTEPATH](entry, 'path') ||
+        !this[STRIPABSOLUTEPATH](entry, 'linkpath')
+      )
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Proof of Concept included in advisory demonstrating arbitrary file overwrite.

Mitigation Strategies

  • Input Validation: Ensure all archive entries are validated for path traversal before filesystem operations.
  • Principle of Least Privilege: Run extraction processes in sandboxed environments with limited filesystem access.
  • Dependency Management: regularly audit and update deep dependencies.

Remediation Steps:

  1. Identify vulnerable instances using npm audit or yarn audit.
  2. Upgrade node-tar to version 7.5.3 or later.
  3. Verify that preservePaths is not enabled in your implementation unless strictly necessary.
  4. Rebuild lockfiles to ensure sub-dependencies use the patched version.

References

Read the full report for CVE-2026-23745 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (1)

Collapse
 
jvr2022 profile image
Jvr

Thanks for creating this article about the tar vulnerability I found!