Bug 2430538 (CVE-2026-23745) - CVE-2026-23745 node-tar: tar: node-tar: Arbitrary file overwrite and symlink poisoning via unsanitized linkpaths in archives
Summary: CVE-2026-23745 node-tar: tar: node-tar: Arbitrary file overwrite and symlink ...
Keywords:
Status: NEW
Alias: CVE-2026-23745
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2431086 2431088 2431092 2431095 2431096 2431098 2431099 2431100 2431101 2431102 2431103 2431104 2431105 2431106 2431108 2431109 2431110 2431111 2431112 2431113 2431114 2431115 2431116 2431090 2431094 2431097 2431107 2431117
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-16 23:01 UTC by OSIDB Bzimport
Modified: 2026-01-20 05:00 UTC (History)
157 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-16 23:01:50 UTC 
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Note You need to log in before you can comment on or make changes to this bug.