Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
Node.js Tar Creates Hardlinks Outside Extraction Directory
DEBIAN-CVE-2026-29786
Summary
A security update is available for Node.js users. Prior to version 7.5.10, a maliciously crafted archive could potentially allow an attacker to overwrite files outside the intended extraction directory. Update to version 7.5.10 or later to fix this issue.
What to do
- Update debian node-tar to version 6.2.1+ds1+~cs6.1.13-8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| debian | node-tar | All versions | – |
| debian | node-tar | All versions | – |
| debian | node-tar | All versions | – |
| debian | node-tar | <= 6.2.1+ds1+~cs6.1.13-8 | 6.2.1+ds1+~cs6.1.13-8 |
Original title
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target ...
Original description
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
osv CVSS4.0
7.6
- https://security-tracker.debian.org/tracker/CVE-2026-29786 Vendor Advisory
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026