Login Sign Up

CVE-2026-23950

8.8 HIGH

📋 TL;DR

node-tar versions up to 7.5.3 have a race condition vulnerability that allows arbitrary file overwrite via symlink poisoning attacks. This occurs when extracting malicious tar archives on case-insensitive filesystems like macOS APFS/HFS+ due to Unicode path collision handling issues. Users extracting untrusted tar archives on affected systems are at risk.

💻 Affected Systems

Products:
  • node-tar
Versions: All versions up to and including 7.5.3
Operating Systems: macOS (APFS/HFS+ filesystems)
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability specifically manifests on filesystems that ignore Unicode normalization differences, primarily macOS APFS/HFS+. Other systems may be affected if using similar filesystem configurations.

📦 What is this software?

Tar by Isaacs

View all CVEs affecting Tar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file overwrite leading to privilege escalation, data destruction, or remote code execution.

🟠

Likely Case

Local privilege escalation or data corruption when extracting malicious tar archives from untrusted sources.

🟢

If Mitigated

Limited impact if only extracting trusted archives or using workarounds like symbolic link filtering.

🌐 Internet-Facing: MEDIUM - Risk exists when processing user-uploaded tar archives, but requires specific filesystem conditions.
🏢 Internal Only: LOW - Primarily affects local extraction operations rather than network-facing services.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires crafting malicious tar archives with Unicode path collisions and requires the target to extract them on vulnerable filesystems.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.5.4

Vendor Advisory: https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w

Restart Required: No

Instructions:

1. Update node-tar to version 7.5.4 or later using npm: npm update tar 2. Verify the update with: npm list tar

🔧 Temporary Workarounds

Filter symbolic links during extraction

all

Filter out all symbolic link entries when extracting untrusted tar archives, similar to npm's approach

Implement custom extraction logic that filters entries with type 'SymbolicLink' before processing

🧯 If You Can't Patch

  • Avoid extracting untrusted tar archives on macOS APFS/HFS+ filesystems
  • Implement strict input validation and sanitization for tar archive processing

🔍 How to Verify

Check if Vulnerable:

Check node-tar version with: npm list tar | grep tar

Check Version:

npm list tar | grep tar

Verify Fix Applied:

Verify version is 7.5.4 or higher: npm list tar | grep -E 'tar@(7\.5\.[4-9]|[8-9]|\d{2,})'

📡 Detection & Monitoring

Log Indicators:

  • Multiple file operations on similar Unicode paths (e.g., ß and ss)
  • Unexpected symbolic link creation during tar extraction

Network Indicators:

  • Large number of tar archive uploads to vulnerable endpoints

SIEM Query:

Process execution logs showing tar extraction with Unicode filenames on macOS systems

📊 Metadata

CVE ID: CVE-2026-23950
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
CWE: CWE-176
EPSS Score: 0.02% exploit probability (2.9th percentile)
Published: January 20, 2026
Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23950, you might also want to check these:

CVE-2023-39213 9.6

This vulnerability in Zoom Desktop Client for Windows and Zoom VDI Client allows an unauthenticated ...

Same vulnerability type (CWE-176)
CVE-2024-24691 9.6

This vulnerability allows an unauthenticated attacker on the same network to escalate privileges on ...

Same vulnerability type (CWE-176)
CVE-2026-25480 6.5

This vulnerability in Litestar's FileStore cache backend allows unauthenticated attackers to cause c...

Same vulnerability type (CWE-176)