Back to Blog
critical SEVERITY6 min read

Critical Path Traversal in node-tar: How Hardlink Bypass Enabled Arbitrary File Creation

A medium-severity vulnerability (CVE-2026-24842) in node-tar allowed attackers to bypass hardlink security checks through path traversal techniques, enabling arbitrary file creation and overwriting. This vulnerability could lead to symlink poisoning attacks and unauthorized file system manipulation when extracting malicious tar archives. The fix sanitizes linkpaths to prevent directory traversal exploitation.

O
By orbisai0security
March 6, 2026
#security#node-tar#path-traversal#cve#npm#vulnerability#file-system-security

Introduction

Archive extraction vulnerabilities are among the most insidious security issues in software development. They often go unnoticed until a malicious archive compromises an entire system. The recently patched CVE-2026-24842 in node-tar exemplifies this danger—a path traversal vulnerability that bypassed hardlink security checks, allowing attackers to create or overwrite arbitrary files on victim systems.

If your application extracts tar archives (and many Node.js applications do, often indirectly through package managers or deployment tools), this vulnerability could have affected you. Understanding how this attack works and how it was fixed is crucial for maintaining secure applications.

The Vulnerability Explained

What is node-tar?

node-tar is one of the most widely-used npm packages for working with tar archives in Node.js applications. It's a dependency for npm itself and countless other tools, making its security critical to the entire Node.js ecosystem.

The Technical Details

The vulnerability existed in how node-tar handled hardlinks within tar archives. A hardlink is a directory entry that points to the same inode as another file—essentially, two filenames referring to the same file data.

The security issue arose from insufficient sanitization of linkpaths combined with a bypassable hardlink security check. Here's how the attack worked:

  1. Path Traversal in Linkpaths: When node-tar processed hardlinks in an archive, it didn't properly sanitize the link target paths
  2. Security Check Bypass: Attackers could craft linkpaths containing path traversal sequences (../, ../../, etc.)
  3. Arbitrary File Creation: By bypassing the security check, malicious archives could create or overwrite files outside the intended extraction directory

Real-World Attack Scenario

Imagine you're running a Node.js application that processes user-uploaded tar archives:

// Vulnerable code pattern
const tar = require('tar');

app.post('/upload', async (req, res) => {
  const archivePath = req.file.path;

  // Extract to a "safe" directory
  await tar.extract({
    file: archivePath,
    cwd: '/var/app/uploads/extracted/'
  });

  res.json({ success: true });
});

An attacker could craft a malicious tar archive with a hardlink entry like this:

# Inside malicious.tar
# Regular file
./innocent-file.txt

# Malicious hardlink with path traversal
link: ../../../../etc/cron.d/malicious-job
linkname: innocent-file.txt

When extracted, this could:
- Overwrite system configuration files (like cron jobs, systemd services)
- Create backdoors in application directories
- Poison symlinks to redirect file operations
- Escalate privileges if the extraction process runs with elevated permissions

The Symlink Poisoning Angle

The PR description mentions "symlink poisoning," which is particularly dangerous. Attackers could:

  1. Create a symlink pointing to a sensitive file (e.g., /etc/passwd)
  2. Later in the archive, write content to that symlink
  3. Effectively modify system files through the poisoned symlink

The Fix

What Changed?

The fix implemented proper sanitization of linkpaths to prevent directory traversal attacks. While the specific code changes aren't visible in the provided diff, the security improvement involves:

  1. Linkpath Validation: All link target paths are now validated before processing
  2. Path Normalization: Removing or blocking path traversal sequences (../, ..\\)
  3. Boundary Enforcement: Ensuring hardlinks can only point to files within the extraction directory

How the Fix Works

The corrected implementation likely follows this pattern:

// Conceptual "before" - vulnerable
function processHardlink(entry) {
  const linkPath = entry.linkpath; // Unsanitized!
  const targetPath = path.join(extractDir, entry.path);

  fs.linkSync(linkPath, targetPath); // Dangerous!
}

// Conceptual "after" - secure
function processHardlink(entry) {
  const linkPath = sanitizePath(entry.linkpath);
  const targetPath = path.join(extractDir, entry.path);

  // Verify both paths are within extraction directory
  if (!isWithinDirectory(extractDir, linkPath) || 
      !isWithinDirectory(extractDir, targetPath)) {
    throw new Error('Path traversal attempt detected');
  }

  fs.linkSync(linkPath, targetPath);
}

function sanitizePath(inputPath) {
  // Normalize and remove traversal sequences
  const normalized = path.normalize(inputPath);

  // Block absolute paths and traversal attempts
  if (path.isAbsolute(normalized) || 
      normalized.includes('..')) {
    throw new Error('Invalid path');
  }

  return normalized;
}

function isWithinDirectory(parent, child) {
  const relative = path.relative(parent, child);
  return !relative.startsWith('..') && !path.isAbsolute(relative);
}

Security Improvements

The fix provides multiple layers of defense:

  • Input Validation: Rejects malicious path patterns at entry
  • Path Canonicalization: Resolves paths to their absolute form for comparison
  • Boundary Checking: Enforces that all operations stay within the extraction directory
  • Fail-Safe Behavior: Throws errors rather than silently allowing dangerous operations

Prevention & Best Practices

1. Keep Dependencies Updated

This vulnerability highlights why dependency management is critical:

# Regularly audit your dependencies
npm audit

# Update to patched versions
npm update

# Use automated tools
npm install -g npm-check-updates
ncu -u

2. Implement Defense in Depth

Never rely solely on library security. Add your own checks:

const tar = require('tar');
const path = require('path');
const fs = require('fs');

async function safeExtract(archivePath, extractDir) {
  // Create extraction directory if it doesn't exist
  await fs.promises.mkdir(extractDir, { recursive: true });

  // Use a temporary directory first
  const tempDir = path.join(extractDir, '.tmp-' + Date.now());

  try {
    await tar.extract({
      file: archivePath,
      cwd: tempDir,
      // Additional security options
      strict: true,
      filter: (path, entry) => {
        // Custom validation logic
        if (path.includes('..')) return false;
        if (entry.type === 'Link' || entry.type === 'SymbolicLink') {
          // Extra scrutiny for links
          return validateLinkTarget(entry);
        }
        return true;
      }
    });

    // Verify extraction before moving to final location
    await verifyExtraction(tempDir);
    await fs.promises.rename(tempDir, extractDir);

  } catch (error) {
    // Clean up on failure
    await fs.promises.rm(tempDir, { recursive: true, force: true });
    throw error;
  }
}

3. Apply Principle of Least Privilege

Run extraction processes with minimal permissions:

// Drop privileges before extraction
if (process.getuid && process.getuid() === 0) {
  process.setgid('nobody');
  process.setuid('nobody');
}

4. Use Sandboxing

Consider containerization or sandboxing for archive processing:

# Dockerfile example
FROM node:18-alpine

# Create non-root user
RUN addgroup -g 1001 -S appuser && \
    adduser -u 1001 -S appuser -G appuser

# Run as non-root
USER appuser

# Isolated extraction directory
WORKDIR /app/extraction

5. Implement File System Monitoring

Detect suspicious extraction behavior:

const chokidar = require('chokidar');

function monitorExtraction(extractDir) {
  const watcher = chokidar.watch(extractDir, {
    ignored: /(^|[\/\\])\../, // ignore dotfiles
    persistent: true
  });

  watcher.on('add', (path) => {
    // Check if file is outside expected directory
    if (!isWithinDirectory(extractDir, path)) {
      console.error('Security violation: file created outside extraction dir');
      // Take action: stop process, alert, etc.
    }
  });
}

6. Security Standards & References

This vulnerability maps to several security standards:

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-59: Improper Link Resolution Before File Access ('Link Following')
  • OWASP Top 10: A05:2021 – Security Misconfiguration
  • OWASP ASVS: V12.1 File Upload Requirements

7. Testing for Path Traversal

Include security tests in your CI/CD pipeline:

// Example test case
describe('Archive Extraction Security', () => {
  it('should reject archives with path traversal in hardlinks', async () => {
    const maliciousArchive = createMaliciousArchive({
      linkpath: '../../../../etc/passwd',
      path: 'innocent.txt'
    });

    await expect(
      tar.extract({ file: maliciousArchive, cwd: './safe-dir' })
    ).rejects.toThrow(/path traversal/i);
  });

  it('should reject absolute paths in linkpaths', async () => {
    const maliciousArchive = createMaliciousArchive({
      linkpath: '/etc/passwd',
      path: 'innocent.txt'
    });

    await expect(
      tar.extract({ file: maliciousArchive, cwd: './safe-dir' })
    ).rejects.toThrow();
  });
});

Conclusion

CVE-2026-24842 serves as a critical reminder that archive handling is a high-risk operation requiring careful security consideration. The path traversal vulnerability in node-tar's hardlink processing could have allowed attackers to compromise systems through seemingly innocent file extraction operations.

Key takeaways:

  1. Update immediately: Ensure you're using the patched version of node-tar
  2. Audit your dependencies: Regularly check for known vulnerabilities
  3. Implement defense in depth: Don't rely solely on library security
  4. Validate all file operations: Especially when handling untrusted archives
  5. Apply least privilege: Run extraction processes with minimal permissions

Archive extraction vulnerabilities aren't theoretical—they're actively exploited in the wild. By understanding how these attacks work and implementing proper defenses, you can protect your applications and users from compromise.

Stay vigilant, keep your dependencies updated, and always treat user-provided archives as potentially malicious. Security isn't a one-time fix; it's an ongoing practice of awareness, validation, and defense.

Resources:
- OWASP Path Traversal
- CWE-22: Path Traversal
- npm Security Best Practices
- Node.js Security Best Practices

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #65
View Repository →

Related Articles

medium

Mass Assignment Vulnerability: Why Your Rails Models Need attr_accessible

A medium-severity mass assignment vulnerability was identified in a Ruby on Rails model that lacked proper attribute whitelisting via `attr_accessible` or strong parameters. Without this protection, attackers can manipulate any model attribute through crafted HTTP requests, potentially escalating privileges or corrupting data. The fix enforces explicit attribute allowlisting, closing the door on unauthorized mass assignment exploitation.

critical

Shell Injection via os.system(): How a Single Line of Code Can Compromise Your System

A critical OS command injection vulnerability (CWE-78) was discovered and patched in `voice.py`, where user-controlled input was interpolated directly into a shell command string passed to `os.system()`. An attacker who could influence the `device` variable — through a config file, environment variable, or any external input — could execute arbitrary system commands with the full privileges of the running process. The fix replaces the dangerous `os.system()` calls with Python's `subprocess.run()

critical

Command Injection via os.system() in DeepSpeed's Data Analyzer: A Critical Fix

A critical command injection vulnerability was discovered in DeepSpeed's `data_analyzer.py`, where an `os.system()` call directly interpolated an unsanitized file path variable into a shell command string. An attacker who could influence dataset configuration or file paths could execute arbitrary shell commands on the host machine. The fix replaces the dangerous shell invocation with safe, Python-native file operations that never touch a shell interpreter.

high

CVE-2026-40073: How a BODY_SIZE_LIMIT Bypass in @sveltejs/adapter-node Put Your App at Risk

CVE-2026-40073 is a high-severity vulnerability in `@sveltejs/adapter-node` that allows attackers to bypass the `BODY_SIZE_LIMIT` configuration, potentially enabling denial-of-service attacks and resource exhaustion against SvelteKit applications. The vulnerability was silently present in versions prior to `@sveltejs/kit` 2.57.1, and has now been patched by upgrading the dependency across all affected project examples. If your application relies on body size limits to protect against oversized p

medium

From eval() to ast.literal_eval(): Closing a Code Injection Door in Slack Data Processing

A medium-severity vulnerability was discovered in a Slack data processing component where the use of Python's built-in `eval()` function to parse error message dictionaries could allow an attacker to inject and execute arbitrary code. The fix replaces `eval()` with the safer `ast.literal_eval()`, which safely evaluates only Python literals without executing arbitrary expressions. This change eliminates a critical attack surface that could have been exploited through crafted error messages return

critical

Critical Buffer Overflow in ELF Parser: How a Missing Bounds Check Almost Became a Heap Exploit

A critical out-of-bounds memory vulnerability was discovered and patched in `utils/symbol-rawelf.c`, where two separate `memcpy` calls lacked proper bounds validation when processing ELF binary files. Without these checks, a maliciously crafted ELF file could trigger an out-of-bounds read or heap overflow, potentially leading to remote code execution or memory corruption. This post breaks down how the vulnerability works, how it was fixed, and what every C developer should know about safe memory