node-tar <=7.5.2 allows arbitrary file overwrite via unsanitized linkpath
CVE-2026-23745 Published on January 16, 2026

node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Github Repository NVD

Vulnerability Analysis

CVE-2026-23745 can be exploited with local system access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2026-23745. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Directory traversal Vulnerability?

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE-2026-23745 has been classified to as a Directory traversal vulnerability or weakness.


Products Associated with CVE-2026-23745

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Affected Versions

isaacs node-tar: Red Hat Enterprise Linux AppStream (v. 10): Red Hat Enterprise Linux AppStream (v. 9): Red Hat Network Observability (NETOBSERV) 1.11.2: Red Hat OpenShift AI 2.25: Red Hat OpenShift AI 3.3: Red Hat OpenShift Dev Spaces 3.27: Red Hat Trusted Artifact Signer 1.2: Red Hat Trusted Artifact Signer 1.3: Red Hat Confidential Compute Attestation: Logging Subsystem for Red Hat OpenShift: Red Hat Migration Toolkit for Containers: Red Hat OpenShift Lightspeed: Red Hat OpenShift Pipelines: Red Hat OpenShift Serverless: Red Hat 3scale API Management Platform 2: Red Hat Connectivity Link 1: Red Hat Developer Hub: Red Hat Enterprise Linux 6: Red Hat Enterprise Linux AI (RHEL AI) 3: Red Hat Fuse 7: Red Hat OpenShift AI (RHOAI): Red Hat OpenShift Container Platform 4: Red Hat Openshift Data Foundation 4: Red Hat OpenShift GitOps: Red Hat Satellite 6: Red Hat Cryostat 4: Red Hat Multicluster Engine for Kubernetes: Red Hat Node HealthCheck Operator: Red Hat Advanced Cluster Management for Kubernetes 2: Red Hat AMQ Broker 7: Red Hat Ansible Automation Platform 2: Red Hat build of Apache Camel - HawtIO 4: Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat Hardened Images: Red Hat JBoss Enterprise Application Platform 7: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: Red Hat Process Automation 7: Red Hat Quay 3: Red Hat Single Sign-On 7:

Vulnerable Packages

The following package name and versions may be associated with CVE-2026-23745

Package Manager Vulnerable Package Versions Fixed In
npm tar <= 7.5.2 7.5.3

Exploit Probability

EPSS
0.31%
Percentile
22.29%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.