Bug 2433645 (CVE-2026-24842)

Summary: CVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abarbaro, abrianik, abuckta, akostadi, alcohan, alizardo, amasferr, aschwart, asoldano, aszczucz, ataylor, bbaranow, bdettelb, bmaxwell, boliveir, brian.stansberry, bstansbe, caswilli, cmah, darran.lofthouse, dbruscin, dfreiber, dhanak, dkuc, dlofthou, dmayorov, doconnor, dosoudil, drichtar, drosa, drow, eaguilar, ebaron, eborisov, ggrzybek, gmalinko, gparvin, ibek, istudens, ivassile, iweiss, janstey, jbalunas, jburrell, jcantril, jchui, jhe, jkoehler, jlledo, jolong, jraez, jrokos, kaycoth, ktsao, kvanderr, kverlaen, lball, lchilton, lphiri, manissin, mnovotny, mosmerov, mposolda, mstipich, msvehla, nboldt, ngough, nwallace, oaljalju, orabin, pahickey, pantinor, parichar, pberan, pdelbell, pesilva, pjindal, pmackay, psrna, rexwhite, rhaigner, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sfeifer, smaestri, ssilvert, sthirugn, sthorger, tasato, teagle, thjenkin, tom.jenkinson, tsedmik, vdosoudi, veshanka, vkumar, vmuzikar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in node-tar, a Node.js module for handling TAR archives. This vulnerability allows a remote attacker to bypass path traversal protections by crafting a malicious TAR archive. The security check for hardlink entries uses different path resolution logic than the actual hardlink creation, enabling the attacker to create hardlinks to arbitrary files outside the intended extraction directory. This could lead to unauthorized information disclosure or further system compromise.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2434699, 2434709, 2434719, 2434720, 2434725, 2434728, 2434732, 2434836, 2434837, 2434838, 2434839, 2434701, 2434702, 2434704, 2434705, 2434706, 2434708, 2434711, 2434712, 2434714, 2434715, 2434716, 2434718, 2434722, 2434723, 2434726, 2434729, 2434731    
Bug Blocks:    

Description OSIDB Bzimport 2026-01-28 01:01:42 UTC 
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Comment 3 errata-xmlrpc 2026-05-19 09:02:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:18480 https://access.redhat.com/errata/RHSA-2026:18480
Comment 4 errata-xmlrpc 2026-05-19 13:16:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:18868 https://access.redhat.com/errata/RHSA-2026:18868