CVE-2026-26960: Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
(updated )
tar.extract() in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options.
This enables arbitrary file read and write as the extracting user (no root, no chmod, no preservePaths).
Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive.
References
- github.com/advisories/GHSA-83g3-92jg-28cx
- github.com/isaacs/node-tar
- github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384
- github.com/isaacs/node-tar/commit/d18e4e1f846f4ddddc153b0f536a19c050e7499f
- github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx
- nvd.nist.gov/vuln/detail/CVE-2026-26960
Code Behaviors & Features
Detect and mitigate CVE-2026-26960 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →