InSEKurity of the Week (CW03/2026): Node.js node-tar Path Traversal (CVE-2026-23745)

This week in our InSEKurity of the Week series: A critical vulnerability in the widely-used Node.js package node-tar affecting the entire JavaScript ecosystem.

🚨 Summary

• CVE ID: CVE-2026-23745
• EUVD ID: EUVD-2026-2909
• CVSS 4.0 Score: 8.2 (High)
• CWE: CWE-22 (Path Traversal)
• GitHub Advisory: GHSA-8qq5-rm4j-mr97
• Affected Software: node-tar <= 7.5.2
• Attack Vector: Network (Unauthenticated Remote Attack)
• Authentication Required: None
• Impact: Arbitrary File Overwrite, potential Remote Code Execution
• Patch Status: ✅ Available (Version 7.5.3)
• Published: January 16, 2026

📦 What is node-tar?

node-tar is a fundamental npm package for extracting and creating TAR archives in Node.js. It’s used by millions of projects worldwide and is a critical component in the JavaScript/Node.js infrastructure. The package is found in build pipelines, package managers, deployment tools, and countless production applications.

This massive distribution makes this vulnerability a first-class supply chain risk.

🔍 Technical Analysis

Vulnerability Description

node-tar <= 7.5.2 fails to properly validate the linkpath values of hardlinks and symbolic links in TAR archives, even when preservePaths is set to false (the secure default setting).

An attacker can create a specially crafted TAR archive containing hardlinks or symlinks with absolute paths (e.g., /etc/passwd, /root/.ssh/authorized_keys). During extraction, node-tar ignores the intended target directory and creates these links or overwrites the target files outside the extraction root.

Root Cause Analysis

The problem lies in insufficient validation of link targets:

1. Missing Path Normalization: The library doesn’t check if link targets contain absolute paths
2. preservePaths Security Bypass: Although preservePaths: false should prevent absolute paths, this protection doesn’t apply to link entries
3. Trust in Archive Metadata: The library blindly trusts path information in the TAR header

Attack Vector

A typical attack proceeds as follows:

# Step 1: Attacker creates a manipulated TAR archive
# The archive contains a hardlink with an absolute path
tar -cf malicious.tar --hard-dereference /tmp/payload
# Manipulate TAR header to set link target to /etc/cron.d/backdoor

# Step 2: Victim extracts the archive
# node-tar overwrites /etc/cron.d/backdoor instead of staying in target directory
node -e "require('tar').extract({file: 'malicious.tar', cwd: './safe-dir'})"

Concrete Exploitation Scenarios:

1. Config File Manipulation: Overwriting .bashrc, .ssh/authorized_keys, or system-wide configuration files
2. Cron Job Injection: Placing backdoors in /etc/cron.d/
3. Shared Library Hijacking: Overwriting libraries in /usr/lib/
4. Supply Chain Attacks: Compromising CI/CD pipelines that process TAR archives from untrusted sources

⚠️ Impact Assessment

Immediate Impact

• Arbitrary File Overwrite: Any file writable by the extracting process can be overwritten
• Privilege Escalation: When extracting with elevated privileges (e.g., in containers, CI/CD), critical system files can be modified
• Remote Code Execution: Through manipulation of startup scripts, cron jobs, or library paths

Affected Environments

Particularly vulnerable are:

• CI/CD Pipelines: That automatically process TAR archives from Git repositories or artifact stores
• Package Managers: npm, yarn, and pnpm use TAR operations internally
• Build Systems: Webpack, Rollup, Vite with TAR-based plugins
• Container Build Processes: Docker/Podman layer extraction
• Deployment Tools: Automatic extraction of release artifacts
• Backup Restore Mechanisms: Automatic TAR extraction

Long-term Consequences

• Supply Chain Compromise: Once compromised, build systems can infect additional packages
• Loss of Trust: Erosion of trust in npm ecosystem security
• Compliance Violations: GDPR, NIS2, Cyber Resilience Act
• Reputation Damage: Especially for SaaS providers and platform operators

🛡️ Mitigation Strategies

Immediate Actions (Priority 1) ⚡

1. Update to Version 7.5.3:

   npm update tar
   # Or explicitly:
   npm install tar@7.5.3

2. Regenerate Lockfile:

   # npm
   rm package-lock.json && npm install
   
   # yarn
   rm yarn.lock && yarn install
   
   # pnpm
   rm pnpm-lock.yaml && pnpm install

3. Check Transitive Dependencies:

   npm ls tar
   # Check if sub-dependencies still use old versions

4. Audit CI/CD Pipelines:

   npm audit
   # Check for known vulnerabilities

Detection Measures 🔍

# Check if vulnerable version is installed
npm ls tar | grep -E "tar@[0-7]\.[0-5]\.[0-2]"

# Check system for suspicious file changes
find /etc /root ~/.ssh -type f -mtime -7 -ls

# Check logs for TAR extraction outside expected paths
grep -r "EACCES\|Permission denied" /var/log/

Temporary Workarounds

If immediate update is not possible:

1. Input Validation:

   // Only accept TAR archives from trusted sources
   const trustedSources = ['internal-registry.company.com'];
   if (!trustedSources.includes(archiveSource)) {
       throw new Error('Untrusted archive source');
   }

2. Sandbox Extraction:

   // Extract in isolated container/VM
   const { spawn } = require('child_process');
   spawn('docker', ['run', '--rm', '-v', './archives:/data',
                    'node:alpine', 'tar', '-xf', '/data/archive.tar']);

3. Filesystem Monitoring:

   // Use inotify/fsevents to detect unexpected file changes
   const chokidar = require('chokidar');
   chokidar.watch('/etc', { ignoreInitial: true })
           .on('all', (event, path) => {
               console.warn(`Unexpected change: ${event} on ${path}`);
           });

Long-term Security Improvements

1. Dependency Scanning: Integrate npm audit, Snyk, or Dependabot into CI/CD
2. Least Privilege: Perform TAR extraction with minimal permissions
3. Content Security: Only accept TAR archives from verified, signed sources
4. Network Segmentation: Isolate build systems from production environments

🔐 Best Practices for Node.js Security

For Developers

• Automate Dependency Updates: Renovate Bot, Dependabot
• Commit Lock Files: Guarantees reproducible builds
• Regular Audits: npm audit in pre-commit hooks
• Generate SBOM: Software Bill of Materials for transparency

For Organizations

• Supply Chain Security Policy: Guidelines for dependency management
• Private npm Registry: Control over used packages
• Security Champions: Dedicated contacts for security topics
• Incident Response Plan: Preparation for supply chain compromise

📊 Affected Versions and Detection

Vulnerable Versions

• node-tar: All versions <= 7.5.2
• Critical Version Range: 0.0.0 - 7.5.2
• Safe Version: >= 7.5.3

Automatic Detection

#!/bin/bash
# Scan script for vulnerable node-tar installations

echo "Scanning for vulnerable node-tar installations..."

# Find all Node projects
find /var/www /home -name "package.json" 2>/dev/null | while read pkg; do
    dir=$(dirname "$pkg")
    echo "Checking: $dir"

    cd "$dir"
    if [ -f "package-lock.json" ] || [ -f "node_modules/tar/package.json" ]; then
        npm ls tar 2>/dev/null | grep -E "tar@[0-7]\.[0-5]\.[0-2]" && \
            echo "⚠️  VULNERABLE: $dir"
    fi
done

🎯 Why is this Critical?

1. Ubiquity: node-tar is present in nearly every Node.js project as a direct or transitive dependency
2. Unauthenticated Remote Attack: No login required – anyone who can inject a TAR archive can attack
3. Supply Chain Vector: A compromised build can infect thousands of downstream projects
4. Silent Exploitation: Attacks leave minimal traces and are difficult to detect
5. PoC Available: Public exploits increase the risk of active exploitation

🚀 Timeline and Disclosure

• Discovery Date: Unknown (presumably January 2026)
• Patch Release: January 13, 2026 (node-tar 7.5.3)
• CVE Assignment: CVE-2026-23745
• Public Disclosure: January 16, 2026 (NVD publication)
• Debian Security Tracker: January 17, 2026

🔗 Resources and References

• NVD: CVE-2026-23745
• GitHub Advisory: GHSA-8qq5-rm4j-mr97
• npm Package: tar@7.5.3
• Fix Commit: 340eb285b6d986e91969a1170d7fe9b0face405e
• CWE: CWE-22: Path Traversal
• Node.js Security Releases: January 2026 Security Releases

💼 SEKurity Supports You

This vulnerability impressively demonstrates how deeply embedded dependencies can lead to critical security issues. A single vulnerable package can endanger your entire infrastructure.

Our Services

• Penetration Testing: Web applications, mobile apps (Android & iOS), SAP systems, Active Directory
• Large-Scale Attacks: Perimeter testing, IT infrastructure testing, Red Team engagements
• Security Awareness: Phishing campaigns, hacking demonstrations

Act now – before attackers do.

---

Contact:

🌐 Website: www.sekurity.de

📧 Inquiries: www.sekurity.de/kontakt

📱 LinkedIn: SEKurity GmbH

---

Your SEKurity Team – Your Trusted Adversaries

Your supply chain security is our drive.

---

Sources

• CVE-2026-23745: Tar-pit of Doom - DEV Community
• NVD - CVE-2026-23745
• Node.js Security Releases - January 2026
• npm Issue #8917
• OWASP Path Traversal