DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-QFFP-2RHF-9H96: GHSA-qffp-2rhf-9h96: Hardlink Path Traversal in node-tar via Drive-Relative Paths

#security #cve #cybersecurity #ghsa

GHSA-qffp-2rhf-9h96: Hardlink Path Traversal in node-tar via Drive-Relative Paths

Vulnerability ID: GHSA-QFFP-2RHF-9H96
CVSS Score: 8.3
Published: 2026-03-05

A high-severity path traversal vulnerability exists in the node-tar (npm package tar) library versions prior to 7.5.10. The vulnerability allows an attacker to overwrite arbitrary files on the target system by crafting a malicious tar archive containing hardlink entries with drive-relative paths (e.g., C:../target). Improper sanitization logic fails to detect the traversal sequence before stripping the drive root, resulting in file operations outside the extraction root.

TL;DR

Attackers can overwrite arbitrary files by tricking node-tar into extracting hardlinks pointing outside the current working directory using drive-relative paths like C:../. Fixed in version 7.5.10.

⚠️ Exploit Status: POC

Technical Details

  • CVSS v4.0: 8.3 (High)
  • Attack Vector: Local (User Interaction Required)
  • Vulnerability Type: Path Traversal (CWE-22)
  • Affected Component: node-tar (npm package 'tar')
  • Impact: Arbitrary File Overwrite
  • Exploit Status: PoC Available

Affected Systems

  • Node.js applications using tar package < 7.5.10
  • CI/CD pipelines processing tarballs
  • npm registry clients
  • Server-side file processing services
  • tar: < 7.5.10 (Fixed in: 7.5.10)

Code Analysis

Commit: 7bc755d

Fix hardlink path traversal via drive-relative linkpath

Exploit Details

  • GitHub Advisory: Functional PoC demonstrating outside-of-CWD overwrite using drive-relative paths.

Mitigation Strategies

  • Upgrade to node-tar version 7.5.10 or later.
  • Run extraction processes with least privilege.
  • Audit dependency trees for vulnerable transitive dependencies.

Remediation Steps:

  1. Identify vulnerable occurrences of tar using npm audit or yarn audit.
  2. Update package.json to require tar >= 7.5.10.
  3. Run npm update tar or yarn upgrade tar.
  4. Verify the installed version using npm list tar.

References

Read the full report for GHSA-QFFP-2RHF-9H96 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)