Bug 2433645 (CVE-2026-24842) - CVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
Summary: CVE-2026-24842 node-tar: tar: node-tar: Arbitrary file creation via path trav...
Keywords:
Status: NEW
Alias: CVE-2026-24842
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2434699 2434702 2434709 2434719 2434720 2434725 2434728 2434732 2434836 2434837 2434838 2434839 2434701 2434704 2434705 2434706 2434708 2434711 2434712 2434714 2434715 2434716 2434718 2434722 2434723 2434726 2434729 2434731
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-28 01:01 UTC by OSIDB Bzimport
Modified: 2026-01-28 22:21 UTC (History)
87 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-28 01:01:42 UTC 
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Note You need to log in before you can comment on or make changes to this bug.