CVE-2026-24842

Name	CVE-2026-24842
Description	node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
node-tar (PTS)	bullseye (security), bullseye	6.0.5+ds1+~cs11.3.9-1+deb11u2	vulnerable
	bookworm	6.1.13+~cs7.0.5-1	vulnerable
	trixie	6.2.1+~cs7.0.8-1	vulnerable
	forky, sid	6.2.1+ds1+~cs6.1.13-7	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
node-tar	source	(unstable)	(unfixed)

Notes

https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
Fixed by: https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46 (v7.5.7)