CVE: CVE-2026-23745
Name: node-tar — Arbitrary File Overwrite & Link Path Traversal
CVSS Score: 8.2 (High)
Severity: High
Exploitability: Moderate — Proof-of-Concept (PoC) publicly available, requires a malicious tar archive and an extraction step by vulnerable code.
Exploit Availability: Known proof-of-concepts exist
Official Patch / Upgrade: Upgrade node-tar to version 7.5.3 or later
Overview
node-tar is a JavaScript library used for reading and writing .tar archives in Node.js applications. In all versions up to and including 7.5.2, the logic that handles hardlinks and symbolic links inside a .tar archive did not properly validate the destination paths (linkpath). As a result, a tarball crafted by an attacker can escape the intended extraction directory and overwrite files elsewhere on disk if the process extracting it has write permissions. This can lead to modification of configuration files, scripts, or other sensitive assets — and in chained scenarios, can enable further compromise.
The vulnerability was addressed in 7.5.3 by adding proper validation to ensure that any link targets remain within the safe extraction area.
Technical Explanation
When extracting a tar file, entries include file type and paths. Two special types are:
- Hardlink entries, where entry A points to existing file B.
- SymbolicLink entries, where entry A is a symlink to some path B.
In vulnerable versions, the library resolved the link targets (linkpath) without checking whether the resolved path was inside the intended extraction output directory. This means:
- A crafted tar could include a hardlink to an absolute file outside the extraction root (e.g.,
/etc/passwdor a sensitive config file). - When the extraction code processes that tar and writes to the hardlinked path inside the output directory, the hardlink causes the external file to be modified instead.
- Similarly, a symbolic link entry could create a symlink under the output directory that points at an absolute path (again, outside safelist). Writes following that symlink then affect the outside target.
This isn’t blocked by the default preservePaths:false setting; the core issue is missing sanitization of the linkpath in both hardlink and symbolic link entries.
Exploitation Methods
- Hardlink Overwrite:
A malicious archive defines a hardlink that points to a sensitive external file. Once extracted, writing a file inside the directory follows the hardlink and overwrites the external file with attacker-controlled content. - Symlink Poisoning:
A malicious archive includes a symbolic link that points to an absolute path such as/.envor/etc/hosts. Subsequent operations (within the same extract run or following code in the application) write data that gets redirected via the symlink into those sensitive files.
These exploitation paths do not require elevated privileges beyond whatever the extraction process already has. If the extractor runs as a service account with write access to important files/directories, that’s sufficient.
Proof-of-Concept (PoC) Summary
A PoC tar file would typically:
- Include a file entry for a regular file with normal contents.
- Include a hardlink entry where
linkpathis an absolute path on the host. - Include a symbolic link entry where
linkpathis also an absolute path on the host. - When a vulnerable extraction routine processes this tar, it creates links that point outside the extraction area.
The attacker craft ensures that subsequent writes to the first file inside the extraction directory are mirrored to the external target due to the hardlink, or are redirected via an external path due to the symlink.
Affected / Fixed Versions
- Affected:
node-tarversions up to and including 7.5.2 - Fixed: 7.5.3 and later — ensure all projects and dependency trees use 7.5.3 or newer.
Upgrade instructions are typically: updating your package.json and running npm install [email protected]/yarn add [email protected], then rebuilding lockfiles to force the patched version into your dependency graph.
Official patch link: https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
How to Detect Exploitation
Detection is best approached through logs and behavior outside expected patterns. Look for:
1. File System Activity (Audit / Filesystem Logs)
- Unexpected symlink or hardlink creation by Node processes that reference absolute paths outside the intended extraction root.
- Writes to sensitive files from processes (especially
node) that normally don’t modify those files. - Modification timestamps on config files or host system artifacts that correspond to recent extraction events.
Examples of suspicious patterns:
nodecreating symlinks such as… -> /etc/…- Hardlink creation where link target is outside the project’s artifact directory
- Writes to system config files originating from application extraction paths
If you have auditing enabled (like Linux auditd, macOS FSEvents, or Windows ETW), generate logs for link and write operations and look for:
symlinkandlinksyscall events with targets outside internal paths.- File writes by user/service accounts that normally never touch outside paths.
SIEM Detection Rules
Here are ready-to-adapt rules for central log platforms:
Rule: Detect Node Creating Symlinks to Absolute Paths
If your SIEM ingests audit records (e.g., syscalls) or endpoint logs:
title: Suspicious node process creating symlink to absolute path
description: Detect when a Node.js process creates symlinks with absolute targets outside the extraction root.
logsource:
product: linux
service: auditd
detection:
selection:
syscall: symlink
process_name: node
target_path|startswith: "/"
condition: selection
level: highThis flags Node processes issuing symlink with absolute destinations.
Rule: Hardlink Creation to Outside Paths
title: Suspicious hardlink creation by Node
description: Detect Node.js linking files into absolute or parent-escape locations
logsource:
product: linux
service: auditd
detection:
selection:
syscall: link
process_name: node
new_path|startswith: "/"
condition: selection
level: high
This triggers when a hardlink call tries to link outside the expected area.
Rule: Unexpected Writes to Critical Files
Focus on paths like /etc, service directories, environment files:
title: Unexpected write to sensitive file by Node
description: Detect writes to sensitive locations by unexpected processes
logsource:
product: linux
service: auditd
detection:
selection:
syscall: open
operation: write
process_name: node
filepath|startswith: ["/etc/","/usr/local/","/var/"]
condition: selection
level: criticalIndicators of Compromise (IoCs)
- Creation of symlinks within application directories that point to absolute system paths.
- Relative paths that escape the intended extraction area (e.g., containing
../that resolves outside root). - Sudden modification of configuration or system files after archive extraction events.
- Node processes linked to tar extraction performing unexpected file operations.
Mitigation & Prevention
- Patch Immediately: Update to
node-tar7.5.3 or later across all projects, especially those that extract user-provided archives. - Validate Archives Before Extraction: Reject
.tarfiles that contain link entries with absolute paths or traversal (../) in their link targets. - Sandbox Extraction: Always perform extraction in isolated environments (containers, restricted filesystem namespaces) if untrusted input is involved.
- Lock Dependencies: Regenerate lockfiles (
package-lock.json/yarn.lock) and rebuild to ensure sub-dependencies adopt the patched version.
Final Takeaway
This vulnerability stems from insufficient sanitization of link paths in tar archives processed by vulnerable node-tar. An attacker who can get a crafted tar file extracted by your application or build process can cause file overwrites outside the intended directory. The risk is real in scenarios where archives originate from untrusted sources or automated pipelines. The only reliable fix is updating to 7.5.3 or above. The SIEM rules above help you catch suspicious activity in your environment connected to this flaw.
