2430538 – (CVE-2026-23745) CVE-2026-23745 node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives

Bug 2430538 (CVE-2026-23745) - CVE-2026-23745 node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives

Summary: CVE-2026-23745 node-tar: tar: node-tar: Arbitrary file overwrite and symlink ...

Keywords:
Status:	NEW
Alias:	CVE-2026-23745
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2431086 2431098 2431103 2431105 2431106 2431108 2431109 2431113 2431115 2431116 2431088 2431090 2431092 2431094 2431095 2431096 2431097 2431099 2431100 2431101 2431102 2431104 2431107 2431110 2431111 2431112 2431114 2431117
Blocks:
TreeView+	depends on / blocked

Reported:	2026-01-16 23:01 UTC by OSIDB Bzimport
Modified:	2026-06-09 17:42 UTC (History)
CC List:	172 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:18480	0	None	None	None	2026-05-19 09:02:24 UTC
Red Hat Product Errata	RHSA-2026:18868	0	None	None	None	2026-05-19 13:16:15 UTC

Description OSIDB Bzimport 2026-01-16 23:01:50 UTC

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Comment 3 errata-xmlrpc 2026-05-19 09:02:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:18480 https://access.redhat.com/errata/RHSA-2026:18480

Comment 4 errata-xmlrpc 2026-05-19 13:16:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:18868 https://access.redhat.com/errata/RHSA-2026:18868

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
abrianik
abuckta
akostadi
alcohan
alizardo
amasferr
anjoseph
anpicker
anthomas
aschwart
asoldano
aszczucz
ataylor
bbaranow
bbrownin
bdettelb
bmaxwell
boliveir
bparees
brian.stansberry
bstansbe
carogers
caswilli
cmah
darran.lofthouse
dbosanac
dbruscin
dfreiber
dhanak
dkuc
dlofthou
dmayorov
doconnor
dosoudil
drichtar
drosa
drow
dschmidt
dsimansk
dymurray
eaguilar
ebaron
eborisov
ehelms
erezende
ggainey
ggrzybek
gmalinko
gparvin
haoli
hasun
hkataria
ibek
ibolton
istudens
ivassile
iweiss
jajackso
janstey
jbalunas
jburrell
jcammara
jcantril
jchui
jfula
jhe
jkoehler
jlanda
jlledo
jmatthew
jmitchel
jmontleo
jneedle
jolong
jowilson
jprabhak
jraez
jreimann
jrokos
juwatts
kaycoth
kegrant
kingland
koliveir
kshier
ktsao
kvanderr
kverlaen
lball
lchilton
lphiri
mabashia
manissin
mattdavi
matzew
mdessi
mhulan
mnovotny
mosmerov
mposolda
mrizzi
mstipich
msvehla
nboldt
ngough
nmoumoul
nwallace
nyancey
oaljalju
ometelka
orabin
osousa
owatkins
pahickey
pantinor
parichar
pberan
pbohmill
pbraun
pcattana
pcreech
pdelbell
pesilva
pgaikwad
pjindal
pmackay
psrna
ptisnovs
rchan
rekumar
rexwhite
rhaigner
rhel-process-autobot
rjohnson
rmartinc
rojacob
rstancel
rstepani
sausingh
sdawley
sfeifer
shvarugh
simaishi
slucidi
smaestri
smallamp
smcdonal
sseago
ssilvert
stcannon
sthirugn
sthorger
syedriko
tasato
teagle
tfister
thavo
thjenkin
tmalecek
tom.jenkinson
tsedmik
vdosoudi
veshanka
vkumar
vmuzikar
vvoronko
watson-tool-maintainers
wtam
xdharmai
yguenane