CVE-2026-26960
Hardlink Vulnerability in node-tar Allows Arbitrary File Access
Publication date: 2026-02-20
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| isaacs | tar | to 7.5.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-26960 is a high-severity vulnerability in the node-tar package (versions 7.5.7 and below) used for extracting tar archives in Node.js. The issue arises because the package allows an attacker-controlled tar archive to create a hardlink inside the extraction directory that points to a file outside the extraction root. This happens due to improper handling of symbolic links and hard links during extraction, where the path checks do not resolve symlinks on disk, enabling path traversal attacks.
Specifically, the vulnerability allows an attacker to bypass path protections by exploiting a chain of symbolic links and a hardlink, causing the extraction process to create or overwrite files outside the intended directory. This effectively turns the archive extraction into a direct filesystem access primitive, allowing arbitrary file read and write operations with the privileges of the extracting user.
The vulnerability was fixed in version 7.5.8 by adding strict checks to prevent linkpaths from traversing symbolic links and by throwing errors when such traversal is detected.
How can this vulnerability impact me? :
This vulnerability can have serious impacts if you use node-tar to extract untrusted tar archives. An attacker can craft a malicious archive that, when extracted, creates or overwrites files outside the intended extraction directory.
- Arbitrary file read: The attacker can read sensitive files outside the extraction root.
- Arbitrary file write: The attacker can overwrite or create files outside the extraction root, potentially modifying configuration files, scripts, or other critical data.
- Privilege scope: The attacker gains these capabilities with the privileges of the user running the extraction process.
- Potential consequences include exposure of sensitive information, unauthorized modification of files, and possible escalation of impact depending on the environment where extraction occurs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the creation of hardlinks inside the extraction directory that point outside the extraction root, bypassing path protections during tar archive extraction with node-tar versions 7.5.7 and below.
Detection can focus on monitoring extraction activities for suspicious hardlink or symbolic link creations that resolve outside the intended extraction directory.
You can check the version of node-tar installed to identify if it is vulnerable by running:
- npm list tar
To detect exploitation attempts, monitor filesystem events for creation of hardlinks or symbolic links during tar extraction, especially those pointing outside the extraction directory.
Example commands to find suspicious hardlinks or symlinks in extraction directories:
- find /path/to/extraction -type l -exec ls -l {} \;
- find /path/to/extraction -type f -links +1 -exec ls -l {} \;
Additionally, you can audit tar extraction logs or enable verbose logging to detect errors related to symlink or hardlink creation failures, which may indicate attempted exploitation.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the node-tar package to version 7.5.8 or later, where this vulnerability has been fixed.
If upgrading immediately is not possible, consider the following steps:
- Avoid extracting untrusted tar archives using vulnerable node-tar versions.
- Use the `preservePaths` option cautiously, as enabling it disables protective linkpath checks and should only be used with trusted input.
- Implement additional filesystem monitoring to detect and block creation of hardlinks or symbolic links that escape the extraction directory.
The fix includes strict checks that prevent creation of hardlinks or symbolic links if their resolved paths traverse symbolic links outside the extraction root, throwing errors and aborting extraction in such cases.