Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
Node.js Tar Library Fails to Prevent File Overwrite
UBUNTU-CVE-2026-29786
Summary
A bug in the Node.js Tar library can allow malicious files to be extracted to unintended locations. This could potentially allow an attacker to overwrite important system files. Update to version 7.5.10 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| canonical | node-tar | All versions | – |
| canonical | node-tar | All versions | – |
| canonical | node-tar | All versions | – |
| canonical | node-tar | All versions | – |
| canonical | node-tar | All versions | – |
| canonical | node-tar | All versions | – |
| canonical | node-tar | All versions | – |
Original title
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target ...
Original description
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
osv CVSS4.0
7.6
- https://ubuntu.com/security/CVE-2026-29786 Third Party Advisory
- https://www.cve.org/CVERecord?id=CVE-2026-29786 Third Party Advisory
- https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96 Third Party Advisory
- https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b... Third Party Advisory
Published: 9 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026