CVE-2026-23745: node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

January 16, 2026

The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets.

References

github.com/advisories/GHSA-8qq5-rm4j-mr97
github.com/isaacs/node-tar
github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e
github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97
nvd.nist.gov/vuln/detail/CVE-2026-23745

Code Behaviors & Features

Detect and mitigate CVE-2026-23745 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →