CVE-2026-24842
📋 TL;DR
CVE-2026-24842 is a path traversal vulnerability in node-tar, a Node.js library for handling TAR archives, affecting versions prior to 7.5.7. It allows attackers to bypass security checks by crafting malicious TAR archives that create hardlinks to arbitrary files outside the intended extraction directory, potentially leading to unauthorized file access or modification. This impacts any Node.js applications using vulnerable versions of node-tar to extract untrusted TAR archives.
💻 Affected Systems
- node-tar
📦 What is this software?
Tar by Isaacs
⚠️ Risk & Real-World Impact
Worst Case
An attacker could create hardlinks to critical system files (e.g., /etc/passwd, configuration files) outside the extraction directory, enabling unauthorized reading, modification, or deletion, potentially leading to system compromise, data breaches, or service disruption.
Likely Case
In real-world scenarios, attackers may exploit this to access sensitive application files, such as configuration or credential files, leading to data exposure or privilege escalation within the application context.
If Mitigated
If proper controls like strict input validation, sandboxing, or network segmentation are in place, the impact is limited to the isolated environment, reducing the risk of broader system compromise.
🎯 Exploit Status
Exploitation requires an attacker to craft a malicious TAR archive and have it processed by a vulnerable application; public proof-of-concept code is available in the advisory references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.5.7
Vendor Advisory: https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
Restart Required: No
Instructions:
1. Update node-tar to version 7.5.7 or later using npm: 'npm update tar'. 2. Verify the update by checking the package version in your project. 3. Test the application to ensure compatibility with the patched version.
🔧 Temporary Workarounds
Disable TAR extraction from untrusted sources
allTemporarily disable or restrict functionality that processes TAR archives from untrusted inputs until patching is possible.
Use input validation and sanitization
allImplement strict validation to reject TAR archives with suspicious paths or hardlink entries before extraction.
🧯 If You Can't Patch
- Implement network segmentation to isolate systems using node-tar from untrusted networks.
- Monitor and audit file system changes for unexpected hardlink creations outside extraction directories.
🔍 How to Verify
Check if Vulnerable:
Check the node-tar version in your Node.js project: run 'npm list tar' and look for versions below 7.5.7.Check Version:
npm list tarVerify Fix Applied:
After updating, run 'npm list tar' to confirm version 7.5.7 or higher is installed, and test extraction with a safe TAR archive to ensure functionality.📡 Detection & Monitoring
Log Indicators:
- Log entries showing TAR extraction errors, unexpected file access, or hardlink creation outside expected directories.
Network Indicators:
- Unusual network traffic patterns associated with file uploads or archive processing from untrusted sources.
SIEM Query:
Example: 'event:tar_extraction AND (path_traversal OR hardlink_outside_dir)' - adjust based on your logging schema.