Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-29786 is a high-severity vulnerability in the npm package "tar" (versions up to 7.5.9) that allows an attacker to create a hardlink pointing outside the intended extraction directory during tar archive extraction.'}, {'type': 'paragraph', 'content': 'The issue arises because the extraction logic does not properly handle drive-relative link targets such as "C:../target.txt". When such a path is processed, the function that strips absolute paths fails to detect the ".." directory traversal segment, allowing the path to escape the extraction directory.'}, {'type': 'paragraph', 'content': 'As a result, an attacker can overwrite arbitrary files outside the extraction directory with the permissions of the process performing the extraction by crafting a malicious tar archive containing such hardlinks.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to arbitrary file overwrite outside the intended extraction directory during normal tar extraction.

If you use CLI tools, build or update pipelines, or services that unpack untrusted or user-supplied tar archives using vulnerable versions of node-tar, an attacker could exploit this flaw to overwrite critical files on your system.

Such overwrites could compromise system integrity, lead to privilege escalation, or disrupt application functionality depending on which files are overwritten.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your system is using a vulnerable version of the node-tar package (version 7.5.9 or earlier). Specifically, look for usage of tar archives that contain hardlinks with drive-relative link targets such as "C:../target.txt" during extraction.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of this vulnerability, you can monitor for unexpected file overwrites outside the intended extraction directory, especially files that have been hardlinked.'}, {'type': 'paragraph', 'content': 'While no specific detection commands are provided in the resources, a practical approach includes:'}, {'type': 'list_item', 'content': 'Check the version of node-tar installed: `npm list tar` or `npm ls tar`'}, {'type': 'list_item', 'content': 'Inspect tar extraction logs or monitor file system changes outside expected directories after tar extraction.'}, {'type': 'list_item', 'content': 'Use file integrity monitoring tools to detect unexpected changes to files outside extraction directories.'}, {'type': 'list_item', 'content': 'If you have access to the tar archives, inspect them for hardlinks with suspicious linkpaths like "C:../target.txt" using commands like `tar -tvf archive.tar` and look for hardlink entries.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the node-tar package to version 7.5.10 or later, where this vulnerability has been patched.

Additionally, avoid extracting untrusted tar archives using vulnerable versions of node-tar, especially those that may contain malicious hardlinks with drive-relative paths.

If upgrading immediately is not possible, consider implementing strict validation or sandboxing of tar extraction processes to prevent file overwrites outside intended directories.

Review and apply the patch described in the node-tar repository which modifies the path sanitization logic to properly strip root components and prevent directory traversal via hardlinks and symlinks.

Useful 0 Not Useful 0