Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2026-24842

Опубликовано: 28 янв. 2026
Источник: debian
EPSS Низкий

Описание

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
node-tarnot-affectedpackage

Примечания

  • https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v

  • Fixed by: https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46 (v7.5.7)

  • Vulnerability introduced by the upstream fixes for CVE-2026-23745, i.e. upstream's

  • https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e

  • https://github.com/isaacs/node-tar/commit/e9a1ddb821b29ddee75b9470dd511066148c8070

EPSS

Процентиль: 5%
0.00018
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2026-24842

CVSS3: 8.2
ubuntu
около 2 месяцев назад

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

redhat логотип

CVE-2026-24842

CVSS3: 8.2
redhat
около 2 месяцев назад

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

nvd логотип

CVE-2026-24842

CVSS3: 8.2
nvd
около 2 месяцев назад

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

github логотип

GHSA-34x7-hfp2-rc4v

CVSS3: 8.2
github
около 2 месяцев назад

node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal

fstec логотип

BDU:2026-00891

CVSS3: 8.2
fstec
около 2 месяцев назад

Уязвимость библиотеки node-tar программной платформы Node.js, позволяющая нарушителю обойти существующие механизмы безопасности

EPSS

Процентиль: 5%
0.00018
Низкий