Bug 2433645 (CVE-2026-24842)
| Summary: | CVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, abrianik, abuckta, akostadi, alcohan, amasferr, aschwart, asoldano, ataylor, bbaranow, bdettelb, bmaxwell, boliveir, brian.stansberry, caswilli, cmah, darran.lofthouse, dbruscin, dfreiber, dhanak, dkuc, dmayorov, doconnor, dosoudil, drosa, drow, eaguilar, ebaron, ggrzybek, gmalinko, gparvin, ibek, istudens, ivassile, iweiss, janstey, jbalunas, jburrell, jcantril, jkoehler, jlledo, jolong, jrokos, kaycoth, kvanderr, kverlaen, lball, lchilton, lphiri, manissin, mnovotny, mosmerov, mposolda, mstipich, msvehla, ngough, nwallace, orabin, pahickey, pantinor, parichar, pberan, pdelbell, pesilva, pjindal, pmackay, rexwhite, rhaigner, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sfeifer, smaestri, ssilvert, sthirugn, sthorger, tasato, teagle, tom.jenkinson, tsedmik, veshanka, vkumar, vmuzikar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in node-tar, a Node.js module for handling TAR archives. This vulnerability allows a remote attacker to bypass path traversal protections by crafting a malicious TAR archive. The security check for hardlink entries uses different path resolution logic than the actual hardlink creation, enabling the attacker to create hardlinks to arbitrary files outside the intended extraction directory. This could lead to unauthorized information disclosure or further system compromise.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2434699, 2434709, 2434719, 2434720, 2434725, 2434728, 2434732, 2434836, 2434837, 2434838, 2434839, 2434701, 2434702, 2434704, 2434705, 2434706, 2434708, 2434711, 2434712, 2434714, 2434715, 2434716, 2434718, 2434722, 2434723, 2434726, 2434729, 2434731 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-01-28 01:01:42 UTC
|