Arbitrary File Overwrite Vulnerability in node-tar by Isaac Schlueter

CVE-2026-23745

What is CVE-2026-23745?

CVE-2026-23745 is a significant vulnerability found in the node-tar library, which is utilized for handling TAR archives in Node.js applications. This library is essential for developers working with Node.js to extract and manipulate archive files securely. The vulnerability arises from a failure to properly sanitize link paths in Link and SymbolicLink entries when the preservePaths option is set to false, which is the default behavior. As a consequence, attackers can exploit this oversight by crafting malicious TAR archives that bypass the intended extraction root restrictions. This flawed handling could permit arbitrary file overwrites on the system where the vulnerable library is employed, potentially leading to severe consequences, such as system corruption, unauthorized data access, or even complete system compromise.

Potential impact of CVE-2026-23745

1. Arbitrary File Overwrite: The most critical impact is the ability for adversaries to overwrite arbitrary files on the file system, which can lead to loss of data integrity and functionality within applications relying on the node-tar library.

2. Symlink Poisoning: Attackers could leverage symbolic links to redirect extraction processes, which may result in malicious files being placed in sensitive locations. This path manipulation can compromise system security by facilitating unauthorized data extraction or the installation of additional malware.

3. Increased Attack Surface for Malware: With the vulnerability allowing attackers to compromise systems, it heightens the risk of subsequent malware deployment, including ransomware. A successful exploit could open the door for further intrusions, escalating the overall risk to organizational cybersecurity.

References