GHSA-34x7-hfp2-rc4v · Severity: high · Ecosystem: npm — node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Conclusion & alert: CVE-2026-24842 is rated Exploit Available (50.2/100): CVSS High severity, with low exploitation likelihood (EPSS 0.03%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-01-28 | — | 0.03% | — |
Full EPSS history (1 record total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 8.2 | 3.1 | HIGH |
|
2.8 | 4.7 | [email protected] |
GHSA-34x7-hfp2-rc4v · Severity: high · Ecosystem: npm — node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2026-24842: 1 source package rows (tar); 33 state rows across 6 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, 3.23-main, edge-main); fixed 33, open 0. | https://security.alpinelinux.org/vuln/CVE-2026-24842 |
debian
|
unimportant | CVE-2026-24842 unimportant priority: Debian including 1 source packages (node-tar), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2026-24842 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2026-24842 |
suse
|
high | CVE-2026-24842 severity important: SUSE including 43 source package names (corepack20, corepack22, …), 149 product×package rows across 19 product lines (SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS, SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS, … (19 product lines)): Known Not Affected 145, Fixed 4. | https://www.suse.com/security/cve/CVE-2026-24842/ |
ubuntu
|
medium | CVE-2026-24842 medium priority: Ubuntu including 1 source packages (node-tar), 8 status rows across 8 suites (bionic, focal, jammy, noble, questing, trusty, upstream, xenial): needs-triage 8. | https://ubuntu.com/security/CVE-2026-24842 |
| URL | Tags |
|---|---|
| https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46 | Patch |
| https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v | Exploit Vendor Advisory |