CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-24842

Escape Artist: Breaking node-tar with Hardlink Path Traversal

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 28, 2026·6 min read·123 visits

Executive Summary (TL;DR)

Logic error in hardlink validation allows writing or linking files outside the destination folder. Affects node-tar < 7.5.7. Fixed by strictly forbidding '..' in link targets.

A critical logic flaw in node-tar, the de facto standard archive utility for the Node.js ecosystem, allows attackers to bypass path traversal protections using hardlinks. By exploiting a discrepancy between how link paths are validated versus how they are resolved by the operating system, a malicious TAR archive can create hardlinks to arbitrary files outside the extraction root. This affects millions of developers and pipelines relying on node-tar for package installation.

The Hook: The Foundation Cracks

If you work with Node.js, you use node-tar. You might not know it, but every time you type npm install, this library is the workhorse silently unpacking tarballs in the background. It is the plumbing of the JavaScript ecosystem. And when the plumbing leaks, the entire house gets wet.

CVE-2026-24842 isn't just a simple buffer overflow or a typo. It's a logic bug that exposes a fundamental misunderstanding of how file systems resolve paths. The vulnerability allows an attacker to craft a TAR archive that looks perfectly innocent to the security validator but behaves maliciously when handed off to the operating system.

Imagine a bouncer checking your ID at the club entrance (the validator). They check your address and say "You live nearby, come in." But once you're inside, you teleport to a different country. That's essentially what happens here. The validator calculates path safety based on one assumption, while the OS executes the file creation based on another.

The Flaw: A Matter of Perspective

The core of the issue lies in the discrepancy between intent and execution. When node-tar extracts a file, it generally tries to prevent "Path Traversal"—the classic attack where a file named ../../etc/passwd tries to escape the extraction directory. node-tar has checks for this. However, hardlinks (type: 'Link') introduce a layer of complexity.

When node-tar validated a hardlink entry, it resolved the target path relative to the entry's parent directory within the archive. For example, if you had an entry at a/b/c/link, and it pointed to ../../target, the validator calculated: extract_root/a/b/c/ + ../../target = extract_root/a/target. This looks safe. It stays inside the extraction root.

However, the fatal flaw was in the actual extraction step. node-tar used fs.linkSync(linkpath, entrypath). Crucially, when fs.link receives a relative path, the operating system resolves it relative to the Current Working Directory (CWD) of the process, NOT the directory of the file being created. So, that same ../../target string is passed directly to the OS, which walks up two directories from where the process is running, potentially escaping the sandbox entirely.

The Code: The Smoking Gun

The fix provided in commit f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46 is brutally simple, acknowledging that trying to be clever with path resolution is a losing game. Instead of trying to calculate where the link lands, the developers decided to nuke the problem from orbit.

The vulnerable code attempted to resolve paths intelligently. The patched code simply forbids relative traversals in links altogether.

// src/unpack.ts (The Fix)
 
// If the field is a path or the type is a Link (hardlink)
if (field === 'path' || type === 'Link') {
  // If the path contains '..', it is immediately rejected.
  // No complex math, no resolution attempts. Just NO.
  if (p.includes('..')) {
    this.warn('TAR_ENTRY_ERROR', `${field} contains '..'`, { entry });
    return false;
  }
}

This is a classic "defense in depth" shift. Rather than trusting the complex logic that ensures .. stays within bounds, node-tar now asserts that hardlinks in archives simply shouldn't be navigating up the directory tree at all. It removes the ambiguity that caused the vulnerability.

The Exploit: Climbing the Ladder

To exploit this, we need to trick the validator into thinking we are deep inside a directory structure so that it allows us to use .. segments. Then, we rely on the OS to interpret those .. segments relative to the root of the process.

Here is the recipe for disaster:

  1. Create a deep directory structure: Make an archive with a folder trap/level1/level2/level3/.
  2. Insert the Hardlink: Place a hardlink entry inside level3.
  3. Weaponize the Target: Set the link target to ../../../../../../etc/passwd.

The Validator's View: It sees the entry at trap/level1/level2/level3/. It sees the target ../../../../../../etc/passwd. It resolves this relative to level3. Mathematically, that might still look "contained" or at least confusing enough to bypass the check depending on the exact validation logic version.

The OS View: The process calls link("../../../../../../etc/passwd", "path/to/extract/trap/level1/level2/level3/link"). The OS ignores the destination path when resolving the source. It looks at the source string: ../../../../../../etc/passwd. If the node process is running in /home/user/app, this path walks up to root and grabs the shadow file (permissions permitting). You now have a hardlink to the system's password file inside your extraction folder.

The Impact: Filesystem Roulette

Why should you panic? Because hardlinks are bidirectional portals. If an attacker can create a hardlink to a sensitive file (like a config file or /etc/shadow), they gain a direct handle to that file on the host system.

Scenario 1: Information Disclosure The attacker extracts the malicious archive. The extraction creates a link named funny_pic.jpg that is actually a hardlink to config/database.yml. The application then processes or serves funny_pic.jpg to the user. The attacker downloads their own "image" and gets your database credentials.

Scenario 2: Integrity Violation The attacker links overwrite_me.txt to /usr/local/bin/startup_script.sh. Later in the extraction or in a subsequent request, the attacker writes data to overwrite_me.txt. Because it's a hardlink, the OS writes that data directly into startup_script.sh. The next time the server restarts, the attacker owns the box.

The Fix: Upgrade or Die

The only reliable way to fix this is to upgrade node-tar. The logic required to safely validate hardlinks without banning .. is notoriously difficult and prone to edge cases (as proven by the existence of this CVE).

Remediation Steps:

  1. Check your package-lock.json or yarn.lock for node-tar (often aliased simply as tar).
  2. Ensure the resolved version is 7.5.7 or higher.
  3. Run npm audit fix if applicable, or manually force the dependency update.

> [!NOTE] > If you cannot upgrade, you must ensure that your application creates a clean, empty sandbox directory for every extraction and strictly limits the file system permissions of the Node.js process. Do not run extraction as root.

Official Patches

node-tarCommit f4a7aa9 fixing the path traversal

Fix Analysis (1)

Technical Appendix

CVSS Score
8.2/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
EPSS Probability
0.03%
Top 93% most exploited

Affected Systems

Node.js applications using `node-tar`npm CLI (potentially, via dependency)CI/CD pipelines extracting untrusted artifacts

Affected Versions Detail

Product
Affected Versions
Fixed Version
node-tar
isaacs
< 7.5.77.5.7
AttributeDetail
CWECWE-22 (Path Traversal)
Attack VectorLocal / Network (Archive Upload)
CVSS8.2 (High)
EPSS Score0.00027 (Low Probability)
ConfidentialityHigh (File Read)
IntegrityLow (File Overwrite)
Exploit StatusPoC Available

MITRE ATT&CK Mapping

T1559Inter-Process Communication
Execution
T1204User Execution
Execution
T1006Direct Volume Access
Defense Evasion
CWE-22
Path Traversal

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Known Exploits & Detection

GitHub AdvisoryTechnical description of the hardlink path traversal logic flaw

Vulnerability Timeline

Patch committed by maintainer
2026-01-27
CVE-2026-24842 Published
2026-01-28

References & Sources

  • [1]NVD - CVE-2026-24842
  • [2]GHSA-34x7-hfp2-rc4v Advisory

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 9 hours ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 9 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 10 hours ago•CVE-2026-49754
8.2

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 10 hours ago•CVE-2026-48596
2.1

CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.

Alon Barad
Alon Barad
5 views•6 min read
•about 11 hours ago•CVE-2026-48594
8.2

CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client

An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 11 hours ago•CVE-2026-48595
8.2

CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass

A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.

Alon Barad
Alon Barad
6 views•5 min read