Executive Summary

CVE-2026-26960 is a high-severity vulnerability in the node-tar package (versions 7.5.7 and below) used for extracting tar archives in Node.js. The issue arises because the package allows an attacker-controlled tar archive to create a hardlink inside the extraction directory that points to a file outside the extraction root. This happens due to improper handling of symbolic links and hard links during extraction, where the path checks do not resolve symlinks on disk, enabling path traversal attacks.

Specifically, the vulnerability allows an attacker to bypass path protections by exploiting a chain of symbolic links and a hardlink, causing the extraction process to create or overwrite files outside the intended directory. This effectively turns the archive extraction into a direct filesystem access primitive, allowing arbitrary file read and write operations with the privileges of the extracting user.

The vulnerability was fixed in version 7.5.8 by adding strict checks to prevent linkpaths from traversing symbolic links and by throwing errors when such traversal is detected.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts if you use node-tar to extract untrusted tar archives. An attacker can craft a malicious archive that, when extracted, creates or overwrites files outside the intended extraction directory.

• Arbitrary file read: The attacker can read sensitive files outside the extraction root.
• Arbitrary file write: The attacker can overwrite or create files outside the extraction root, potentially modifying configuration files, scripts, or other critical data.
• Privilege scope: The attacker gains these capabilities with the privileges of the user running the extraction process.
• Potential consequences include exposure of sensitive information, unauthorized modification of files, and possible escalation of impact depending on the environment where extraction occurs.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the creation of hardlinks inside the extraction directory that point outside the extraction root, bypassing path protections during tar archive extraction with node-tar versions 7.5.7 and below.

Detection can focus on monitoring extraction activities for suspicious hardlink or symbolic link creations that resolve outside the intended extraction directory.

You can check the version of node-tar installed to identify if it is vulnerable by running:

• npm list tar

To detect exploitation attempts, monitor filesystem events for creation of hardlinks or symbolic links during tar extraction, especially those pointing outside the extraction directory.

Example commands to find suspicious hardlinks or symlinks in extraction directories:

• find /path/to/extraction -type l -exec ls -l {} \;
• find /path/to/extraction -type f -links +1 -exec ls -l {} \;

Additionally, you can audit tar extraction logs or enable verbose logging to detect errors related to symlink or hardlink creation failures, which may indicate attempted exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the node-tar package to version 7.5.8 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, consider the following steps:

• Avoid extracting untrusted tar archives using vulnerable node-tar versions.
• Use the `preservePaths` option cautiously, as enabling it disables protective linkpath checks and should only be used with trusted input.
• Implement additional filesystem monitoring to detect and block creation of hardlinks or symbolic links that escape the extraction directory.

The fix includes strict checks that prevent creation of hardlinks or symbolic links if their resolved paths traverse symbolic links outside the extraction root, throwing errors and aborting extraction in such cases.

Useful 0 Not Useful 0