CVE-2026-24842
Published: 28 January 2026
Summary
CVE-2026-24842 is a high-severity Path Traversal (CWE-22) vulnerability in Isaacs Tar. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of the node-tar path resolution mismatch vulnerability by upgrading to version 7.5.7 or later.
Mandates validation of TAR archive inputs to block malicious hardlink entries that bypass path traversal protections.
Facilitates scanning and monitoring to identify systems running vulnerable node-tar versions prior to 7.5.7.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables delivery of malicious TAR archive requiring user extraction (T1204.002) followed by arbitrary local file reads via hardlink path traversal bypass (T1005).
NVD Description
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR…
more
archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Deeper analysisAI
CVE-2026-24842 affects node-tar, a Tar implementation for Node.js, in versions prior to 7.5.7. The vulnerability arises from a mismatch in path resolution semantics: the security check for hardlink entries uses different logic than the actual hardlink creation process during TAR extraction. This discrepancy enables attackers to craft malicious TAR archives that bypass path traversal protections, allowing hardlinks to be created to arbitrary files outside the intended extraction directory. The issue is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-59 (Improper Link Resolution Before File Access), with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N). It was published on 2026-01-28.
An attacker can exploit this vulnerability remotely over the network with low complexity and no required privileges, but it requires user interaction, such as tricking a victim into extracting a malicious TAR archive using an affected version of node-tar. Successful exploitation changes the scope to high, enabling high-impact confidentiality violations by creating hardlinks to sensitive files outside the extraction directory. This allows arbitrary file reads (e.g., linking to system files and accessing them via the extraction directory), with low integrity impact and no availability disruption.
The node-tar GitHub security advisory (GHSA-34x7-hfp2-rc4v) and the fixing commit (f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46) confirm that upgrading to version 7.5.7 resolves the issue by aligning the path resolution semantics in the security check with the hardlink creation logic. Security practitioners should prioritize updating affected node-tar instances and validate TAR archives before extraction where possible.
Details
- CWE(s)