Node.js Tar Package Vulnerability Allows File Overwrite Outside Directory
CVE-2026-29786

8.2HIGH

Key Information:

Vendor: Isaacs
Status: Node-tar
Vendor: CVE Published:; 7 March 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-29786?

The node-tar package for Node.js has a vulnerability that allows an attacker to create a hardlink pointing outside of the designated extraction directory. This occurs when a drive-relative link target is used, such as C:../target.txt, potentially leading to unintended file overwrites outside the current working directory during the normal tar.x() extraction process. This issue has been resolved in version 7.5.10 of the node-tar package.

Affected Version(s)

node-tar < 7.5.10

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-29786
Created by Jvr2022

References

https://github.com/isaacs/node-tar/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/isaacs/node-tar/commit/7bc755dd85e623c...

x_refsource_MISC

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2026
🟡
Public PoC available
Mar 6, 2026
👾
Exploit known to exist
Mar 6, 2026
Vulnerability Reserved
Mar 4, 2026

CVE-2026-29786 Data

JSON

Isaacs