CVE-2026-29786
Directory Traversal via Hardlink in node-tar Allows File Overwrite
Publication date: 2026-03-07
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| isaacs | tar | to 7.5.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-59 | The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-29786 is a high-severity vulnerability in the npm package "tar" (versions up to 7.5.9) that allows an attacker to create a hardlink pointing outside the intended extraction directory during tar archive extraction.'}, {'type': 'paragraph', 'content': 'The issue arises because the extraction logic does not properly handle drive-relative link targets such as "C:../target.txt". When such a path is processed, the function that strips absolute paths fails to detect the ".." directory traversal segment, allowing the path to escape the extraction directory.'}, {'type': 'paragraph', 'content': 'As a result, an attacker can overwrite arbitrary files outside the extraction directory with the permissions of the process performing the extraction by crafting a malicious tar archive containing such hardlinks.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary file overwrite outside the intended extraction directory during normal tar extraction.
If you use CLI tools, build or update pipelines, or services that unpack untrusted or user-supplied tar archives using vulnerable versions of node-tar, an attacker could exploit this flaw to overwrite critical files on your system.
Such overwrites could compromise system integrity, lead to privilege escalation, or disrupt application functionality depending on which files are overwritten.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your system is using a vulnerable version of the node-tar package (version 7.5.9 or earlier). Specifically, look for usage of tar archives that contain hardlinks with drive-relative link targets such as "C:../target.txt" during extraction.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of this vulnerability, you can monitor for unexpected file overwrites outside the intended extraction directory, especially files that have been hardlinked.'}, {'type': 'paragraph', 'content': 'While no specific detection commands are provided in the resources, a practical approach includes:'}, {'type': 'list_item', 'content': 'Check the version of node-tar installed: `npm list tar` or `npm ls tar`'}, {'type': 'list_item', 'content': 'Inspect tar extraction logs or monitor file system changes outside expected directories after tar extraction.'}, {'type': 'list_item', 'content': 'Use file integrity monitoring tools to detect unexpected changes to files outside extraction directories.'}, {'type': 'list_item', 'content': 'If you have access to the tar archives, inspect them for hardlinks with suspicious linkpaths like "C:../target.txt" using commands like `tar -tvf archive.tar` and look for hardlink entries.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the node-tar package to version 7.5.10 or later, where this vulnerability has been patched.
Additionally, avoid extracting untrusted tar archives using vulnerable versions of node-tar, especially those that may contain malicious hardlinks with drive-relative paths.
If upgrading immediately is not possible, consider implementing strict validation or sandboxing of tar extraction processes to prevent file overwrites outside intended directories.
Review and apply the patch described in the node-tar repository which modifies the path sanitization logic to properly strip root components and prevent directory traversal via hardlinks and symlinks.