CVE-2026-29786

CVE-2026-29786

Name

CVE-2026-29786

Description

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f
security-advisories@github.com	https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96

Type

URI

security-advisories@github.com

https://github.com/isaacs/node-tar/commit/7bc755dd85e623c0279e08eb3784909e6d7e4b9f

security-advisories@github.com

https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:isaacs:tar::::::node.js::*`	tar	>= None	< 7.5.10

CPE URI

Source package

Min version

Max version

cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:*

tar

>= None

< 7.5.10

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
tar	edge-main	1.35-r5	qaqland <qaq@qaq.land>	fixed
tar	edge-main	1.35-r4	Celeste <cielesti@protonmail.com>	fixed
tar	edge-main	1.35-r3	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	edge-main	1.35-r2	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	edge-main	1.35-r0	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	edge-main	1.34-r4	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	edge-main	1.34-r3	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	edge-main	1.34-r2	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	edge-main	1.34-r1	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	edge-main	1.34-r0	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	edge-main	1.31-r0	None	fixed
tar	edge-main	1.29-r1	None	fixed
tar	3.23-main	1.35-r4	Celeste <cielesti@protonmail.com>	fixed
tar	3.22-main	1.35-r3	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	3.22-main	1.34-r2	None	fixed
tar	3.22-main	1.34-r0	None	fixed
tar	3.22-main	1.31-r0	None	fixed
tar	3.22-main	1.29-r1	None	fixed
tar	3.21-main	1.35-r2	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	3.21-main	1.34-r2	None	fixed
tar	3.21-main	1.34-r0	None	fixed
tar	3.21-main	1.31-r0	None	fixed
tar	3.21-main	1.29-r1	None	fixed
tar	3.20-main	1.35-r2	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	3.20-main	1.34-r2	None	fixed
tar	3.20-main	1.34-r0	None	fixed
tar	3.20-main	1.31-r0	None	fixed
tar	3.20-main	1.29-r1	None	fixed
tar	3.19-main	1.35-r2	Carlo Landmeter <clandmeter@alpinelinux.org>	fixed
tar	3.19-main	1.34-r2	None	fixed
tar	3.19-main	1.34-r0	None	fixed
tar	3.19-main	1.31-r0	None	fixed
tar	3.19-main	1.29-r1	None	fixed

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages