CVE-2026-23745— node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23745
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
node-tar Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
Source: NVD (National Vulnerability Database)
Vulnerability Description
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
node-tar 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
node-tar是isaacs个人开发者的一款用于文件压缩/解压缩的软件包。 node-tar 7.5.2及之前版本存在路径遍历漏洞,该漏洞源于未清理链接路径,可能导致任意文件覆盖和符号链接投毒。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-23745
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Proof of Concept for CVE-2026-23745: Arbitrary File Overwrite vulnerability in node-tar (versions < 7.5.3). | https://github.com/Jvr2022/CVE-2026-23745 | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23745
请登录查看更多情报信息。
- Insufficient Link Path Sanitization · Advisory · isaacs/node-tar · GitHubx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-23745
IV. Related Vulnerabilities
Same product: node-tar
- CVE-2026-31802
node-tar Symlink Path Traversal via Drive-Relative Linkpath - CVE-2026-29786
node-tar: Hardlink Path Traversal via Drive-Relative Linkpat - CVE-2026-26960
node-tar has Arbitrary File Read/Write via Hardlink Target E - CVE-2026-24842
node-tar Vulnerable to Arbitrary File Creation/Overwrite via - CVE-2026-23950
node-tar has Race Condition in Path Reservations via Unicode
Same vendor: isaacs
- CVE-2026-31802
node-tar Symlink Path Traversal via Drive-Relative Linkpath - CVE-2026-29786
node-tar: Hardlink Path Traversal via Drive-Relative Linkpat - CVE-2026-27904
minimatch ReDoS: nested *() extglobs generate catastrophical - CVE-2026-27903
minimatch has a ReDoS: matchOne() combinatorial backtracking - CVE-2026-26996
minimatch has a ReDoS via repeated wildcards with non-matchi
Same weakness: CWE-22
- CVE-2026-8274
npitre cramfs-tools Directory cramfsck.c do_directory path t - CVE-2022-50956
WordPress Plugin amministrazione-aperta 3.7.3 Local File Rea - CVE-2026-8215
Industrial Application Software IAS Canias ERP RMI iasReques - CVE-2026-42605
AzuraCast: Path Traversal in `currentDirectory` Parameter En - CVE-2026-42574
apko dirFS has a symlink-following path traversal that allow
V. Comments for CVE-2026-23745
No comments yet