Research: Joshua van Rijswijk
PoC for CVE-2026-23745, a high-severity path traversal vulnerability in node-tar ( <7.5.2).
The library fails to sanitize absolute paths in the linkpath field for Hardlinks and Symlinks. This allows malicious tar archives to bypass the extraction root and overwrite arbitrary files on the host system, even when preservePaths: false is set.
Located in src/unpack.ts. The library uses path.resolve() on unsanitized user input:
// The bug: path.resolve ignores 'cwd' if the second argument is absolute
const target = path.resolve(this.cwd, String(entry.linkpath))If an attacker provides an absolute path (e.g., /etc/passwd) in the tar header, node-tar resolves it to the system root instead of the extraction directory.
The included poc.js generates a malicious archive and attempts to overwrite a local secret.txt file.
-
Install vulnerable version:
npm install tar@7.5.2 -
Run exploit generator:
node poc.js
Output:
[+] VULN CONFIRMED: Hardlink overwrite successful
Target file content changed to: OVERWRITTEN
Patched in v7.5.3. The update adds stripAbsolutePath() to sanitize link targets before resolution.
References:
