CVE-2026-24842: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal

January 28, 2026

node-tar contains a vulnerability where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory.

References

github.com/advisories/GHSA-34x7-hfp2-rc4v
github.com/isaacs/node-tar
github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46
github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
nvd.nist.gov/vuln/detail/CVE-2026-24842

Code Behaviors & Features

Detect and mitigate CVE-2026-24842 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →