software

CVE-2026-23745: Tar-pit of Doom: Escaping the Root in node-tar

Published: (January 16, 2026 at 05:08 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

Tar-pit of Doom: Escaping the Root in node-tar

Vulnerability ID: CVE-2026-23745
CVSS Score: 8.2
Published: 2026-01-16

A critical path‑traversal vulnerability in the ubiquitous node-tar library allows malicious archives to bypass extraction‑root restrictions. By manipulating hard‑link and symlink targets with absolute paths, attackers can overwrite arbitrary system files or poison symbolic links, effectively turning a standard unzip operation into a weaponized file‑system assault.

TL;DR

node-tar ≤ 7.5.2 failed to sanitize the targets of hardlinks and symlinks. If an archive contains a link pointing to an absolute path (e.g., /etc/passwd), node-tar would create it, ignoring the intended extraction directory. This leads to Arbitrary File Overwrite and potential RCE via config‑file manipulation.

⚠️ Exploit Status: Proof of Concept

Technical Details

  • CWE ID: CWE‑22 (Path Traversal)
  • CVSS 4.0: 8.2 (High)
  • Attack Vector: Local (Archive Upload)
  • Affected Components: unpack.ts (Link/SymbolicLink handling)
  • Impact: Arbitrary File Overwrite / Symlink Poisoning
  • Exploit Status: Proof of Concept Available

Affected Systems

  • Node.js applications using node-tar
  • CI/CD pipelines processing untrusted archives
  • Server‑side applications with file‑upload/extraction features

Vulnerable versions: node-tar ≤ 7.5.2
Fixed in: 7.5.3

Code Analysis

Commit: 340eb28Fix: strip absolute paths from link targets

@@ -150,7 +150,8 @@
-      if (!this[CHECKPATH](entry))
+      if (
+        !this[STRIPABSOLUTEPATH](entry, 'path') ||
+        !this[STRIPABSOLUTEPATH](entry, 'linkpath')
+      )

Exploit Details

Mitigation Strategies

  • Input Validation: Ensure all archive entries are validated for path traversal before filesystem operations.
  • Principle of Least Privilege: Run extraction processes in sandboxed environments with limited filesystem access.
  • Dependency Management: Regularly audit and update deep dependencies.

Remediation Steps

  1. Identify vulnerable instances using npm audit or yarn audit.
  2. Upgrade node-tar to version 7.5.3 or later.
  3. Verify that preservePaths is not enabled unless strictly necessary.
  4. Rebuild lockfiles to ensure sub‑dependencies use the patched version.

References

Back to Blog

Related posts

Read more »

Rapg: TUI-based Secret Manager

We've all been there. You join a new project, and the first thing you hear is: > 'Check the pinned message in Slack for the .env file.' Or you have several .env...

Technology is an Enabler, not a Saviour

Why clarity of thinking matters more than the tools you use Technology is often treated as a magic switch—flip it on, and everything improves. New software, pl...