software

CVE-2026-23745: Tar-pit of Doom: Escaping the Root in node-tar

Published: (January 16, 2026 at 05:08 PM EST)
2 min read
Source: Dev.to

Source: Dev.to

Tar-pit of Doom: Escaping the Root in node-tar

Vulnerability ID: CVE-2026-23745
CVSS Score: 8.2
Published: 2026-01-16

A critical path‑traversal vulnerability in the ubiquitous node-tar library allows malicious archives to bypass extraction‑root restrictions. By manipulating hard‑link and symlink targets with absolute paths, attackers can overwrite arbitrary system files or poison symbolic links, effectively turning a standard unzip operation into a weaponized file‑system assault.

TL;DR

node-tar ≤ 7.5.2 failed to sanitize the targets of hardlinks and symlinks. If an archive contains a link pointing to an absolute path (e.g., /etc/passwd), node-tar would create it, ignoring the intended extraction directory. This leads to Arbitrary File Overwrite and potential RCE via config‑file manipulation.

⚠️ Exploit Status: Proof of Concept

Technical Details

  • CWE ID: CWE‑22 (Path Traversal)
  • CVSS 4.0: 8.2 (High)
  • Attack Vector: Local (Archive Upload)
  • Affected Components: unpack.ts (Link/SymbolicLink handling)
  • Impact: Arbitrary File Overwrite / Symlink Poisoning
  • Exploit Status: Proof of Concept Available

Affected Systems

  • Node.js applications using node-tar
  • CI/CD pipelines processing untrusted archives
  • Server‑side applications with file‑upload/extraction features

Vulnerable versions: node-tar ≤ 7.5.2
Fixed in: 7.5.3

Code Analysis

Commit: 340eb28Fix: strip absolute paths from link targets

@@ -150,7 +150,8 @@
-      if (!this[CHECKPATH](entry))
+      if (
+        !this[STRIPABSOLUTEPATH](entry, 'path') ||
+        !this[STRIPABSOLUTEPATH](entry, 'linkpath')
+      )

Exploit Details

Mitigation Strategies

  • Input Validation: Ensure all archive entries are validated for path traversal before filesystem operations.
  • Principle of Least Privilege: Run extraction processes in sandboxed environments with limited filesystem access.
  • Dependency Management: Regularly audit and update deep dependencies.

Remediation Steps

  1. Identify vulnerable instances using npm audit or yarn audit.
  2. Upgrade node-tar to version 7.5.3 or later.
  3. Verify that preservePaths is not enabled unless strictly necessary.
  4. Rebuild lockfiles to ensure sub‑dependencies use the patched version.

References

Back to Blog

Related posts

Read more »

𝗗𝗲𝘀𝗶𝗴𝗻𝗲𝗱 𝗮 𝗣𝗿𝗼𝗱𝘂𝗰𝘁𝗶𝗼𝗻‑𝗥𝗲𝗮𝗱𝘆 𝗠𝘂𝗹𝘁𝗶‑𝗥𝗲𝗴𝗶𝗼𝗻 𝗔𝗪𝗦 𝗔𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲 𝗘𝗞𝗦 | 𝗖𝗜/𝗖𝗗 | 𝗖𝗮𝗻𝗮𝗿𝘆 𝗗𝗲𝗽𝗹𝗼𝘆𝗺𝗲𝗻𝘁𝘀 | 𝗗𝗥 𝗙𝗮𝗶𝗹𝗼𝘃𝗲𝗿

!Architecture Diagramhttps://dev-to-uploads.s3.amazonaws.com/uploads/articles/p20jqk5gukphtqbsnftb.gif I designed a production‑grade multi‑region AWS architectu...