CVE-2026-23745 - Vulnerability Details

CVE-2026-23745 - node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

References

Link	Providers
https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97

History

Fri, 16 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Title		node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
Weaknesses		CWE-22
References		https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
Metrics		cvssV4_0 `{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-16T22:00:08.769Z

Updated: 2026-01-16T22:00:08.769Z

Reserved: 2026-01-15T15:45:01.958Z

Link: CVE-2026-23745

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-01-16T22:16:26.830

Modified: 2026-01-16T22:16:26.830

Link: CVE-2026-23745

Redhat

No data.

OpenCVE Enrichment

No data.

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object