Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
Node.js Tar Library Can Create Malicious Hardlinks
GHSA-qffp-2rhf-9h96
CVE-2026-29786
GHSA-qffp-2rhf-9h96
Summary
A security issue in older versions of the node-tar library for Node.js could allow an attacker to create a hardlink that points outside the extraction directory, potentially allowing files to be overwritten in unintended locations. This issue has been fixed in version 7.5.10, so update your node-tar library to the latest version to stay protected. Users who haven't updated may be at risk of file corruption or malicious activity.
What to do
- Update tar to version 7.5.10.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | tar | <= 7.5.9 | 7.5.10 |
| – | tar | <= 7.5.10 | 7.5.10 |
| isaacs | tar | <= 7.5.10 | – |
Original title
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target ...
Original description
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
ghsa CVSS4.0
8.2
Vulnerability type
CWE-22
Path Traversal
CWE-59
Link Following
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026