<p>The node-tar library (Version 7.5.2 or earlier) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets.</p>

The node-tar library (Version 7.5.2 or earlier) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets.

[CVE-2026-23745][node-tar library]Insufficient Link Path Sanitization

We primarily share information about vulnerabilities in open-source software. While finding vulnerability details can be challenging, simply listen to the information we've curated here.

We deliver updates once a day, every day. We hope this serves as your cyber guardian.

Technology

We primarily share information about vulnerabilities in open-source software. While finding vulnerability details can be challenging, simply listen to the information we've curated here. We deliver updates once a day, every day. We hope this serves as your cyber guardian.

Share [CVE-2026-23745][node-tar library]Insufficient Link Path Sanitization

Sign up to save your podcasts

[CVE-2026-23745][node-tar library]Insufficient Link Path Sanitization

[CVE-2026-23745][node-tar library]Insufficient Link Path Sanitization