CVE-2026-23745 - Vulnerability Details

CVE-2026-23745 - node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00005.

Key SSVC decision points have not yet been added.

Vendors	Products
Isaacs Subscribe	Tar Subscribe

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Isaacs Subscribe	Tar Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-8qq5-rm4j-mr97	node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97

History

Mon, 19 Jan 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Isaacs Isaacs tar
Vendors & Products		Isaacs Isaacs tar

Fri, 16 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Title		node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
Weaknesses		CWE-22
References		https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
Metrics		cvssV4_0 `{'score': 8.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-16T22:00:08.769Z

Updated: 2026-01-16T22:00:08.769Z

Reserved: 2026-01-15T15:45:01.958Z

Link: CVE-2026-23745

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-01-16T22:16:26.830

Modified: 2026-01-16T22:16:26.830

Link: CVE-2026-23745

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-01-19T09:19:46Z

Weaknesses

CWE-22

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object