FKIE_CVE-2026-24842

Vulnerability from fkie_nvd - Published: 2026-01-28 01:16 - Updated: 2026-06-30 05:17
Severity
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Summary
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
References
security-advisories@github.comhttps://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46Patch
security-advisories@github.comhttps://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4vExploit, Vendor Advisory
0b0ca135-0b70-47e7-9f44-1890c2a1c46chttps://access.redhat.com/errata/RHSA-2026:18480
0b0ca135-0b70-47e7-9f44-1890c2a1c46chttps://access.redhat.com/errata/RHSA-2026:18868
0b0ca135-0b70-47e7-9f44-1890c2a1c46chttps://access.redhat.com/errata/RHSA-2026:2900
0b0ca135-0b70-47e7-9f44-1890c2a1c46chttps://access.redhat.com/errata/RHSA-2026:33371
0b0ca135-0b70-47e7-9f44-1890c2a1c46chttps://access.redhat.com/errata/RHSA-2026:5447
0b0ca135-0b70-47e7-9f44-1890c2a1c46chttps://access.redhat.com/errata/RHSA-2026:6192
0b0ca135-0b70-47e7-9f44-1890c2a1c46chttps://access.redhat.com/security/cve/CVE-2026-24842
0b0ca135-0b70-47e7-9f44-1890c2a1c46chttps://bugzilla.redhat.com/show_bug.cgi?id=2433645
0b0ca135-0b70-47e7-9f44-1890c2a1c46chttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24842.json
Impacted products
Vendor Product Version
isaacs tar *
To clipboard 

{
  "affected": [
    {
      "affectedData": [
        {
          "product": "node-tar",
          "vendor": "isaacs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 7.5.7"
            }
          ]
        }
      ],
      "source": "security-advisories@github.com"
    },
    {
      "affectedData": [
        {
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Server",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10.2"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Enterprise Linux AppStream (v. 10)",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:enterprise_linux:9::appstream"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Enterprise Linux AppStream (v. 9)",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:network_observ_optr:1.11::el9"
          ],
          "defaultStatus": "affected",
          "product": "Network Observability (NETOBSERV) 1.11.2",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openshift_devspaces:3.27::el9"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat OpenShift Dev Spaces 3.27",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:trusted_artifact_signer:1.3::el9"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Trusted Artifact Signer 1.3",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:logging:5"
          ],
          "defaultStatus": "affected",
          "product": "Logging Subsystem for Red Hat OpenShift",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:red_hat_3scale_amp:2"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat 3scale API Management Platform 2",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:rhdh:1"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Developer Hub",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:jboss_fuse:7"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Fuse 7",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openshift:4"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat OpenShift Container Platform 4",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openshift_data_foundation:4"
          ],
          "defaultStatus": "affected",
          "product": "Red Hat Openshift Data Foundation 4",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:cryostat:4"
          ],
          "defaultStatus": "unaffected",
          "product": "Cryostat 4",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:multicluster_engine"
          ],
          "defaultStatus": "unaffected",
          "product": "Multicluster Engine for Kubernetes",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:acm:2"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Advanced Cluster Management for Kubernetes 2",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:amq_broker:7"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat AMQ Broker 7",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:apache_camel_hawtio:4"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat build of Apache Camel - HawtIO 4",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:10"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Enterprise Linux 10",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:6"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Enterprise Linux 6",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:7"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Enterprise Linux 7",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:8"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Enterprise Linux 8",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/o:redhat:enterprise_linux:9"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Enterprise Linux 9",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:hummingbird:1"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Hardened Images",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:7"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat JBoss Enterprise Application Platform 7",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_application_platform:8"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat JBoss Enterprise Application Platform 8",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:jbosseapxp"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openshift_ai"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat OpenShift AI (RHOAI)",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:openshift_devspaces:3"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat OpenShift Dev Spaces",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Process Automation 7",
          "vendor": "Red Hat"
        },
        {
          "cpes": [
            "cpe:/a:redhat:red_hat_single_sign_on:7"
          ],
          "defaultStatus": "unaffected",
          "product": "Red Hat Single Sign-On 7",
          "vendor": "Red Hat"
        }
      ],
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "BE6D2DB4-4688-4527-B851-2AEAB030313F",
              "versionEndExcluding": "7.5.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue."
    },
    {
      "lang": "es",
      "value": "node-tar, un Tar para Node.js, contiene una vulnerabilidad en versiones anteriores a la 7.5.7 donde la comprobaci\u00f3n de seguridad para las entradas de enlaces duros utiliza sem\u00e1nticas de resoluci\u00f3n de rutas diferentes a la l\u00f3gica real de creaci\u00f3n de enlaces duros. Esta discrepancia permite a un atacante crear un archivo TAR malicioso que omite las protecciones de salto de ruta y crea enlaces duros a archivos arbitrarios fuera del directorio de extracci\u00f3n. La versi\u00f3n 7.5.7 contiene una soluci\u00f3n para el problema."
    }
  ],
  "id": "CVE-2026-24842",
  "lastModified": "2026-06-30T05:17:56.997",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 4.7,
        "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-24842",
          "options": [
            {
              "exploitation": "poc"
            },
            {
              "automatable": "no"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-01-28T14:55:08.552380Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-01-28T01:16:14.947",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://access.redhat.com/errata/RHSA-2026:18480"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://access.redhat.com/errata/RHSA-2026:18868"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://access.redhat.com/errata/RHSA-2026:2900"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://access.redhat.com/errata/RHSA-2026:33371"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://access.redhat.com/errata/RHSA-2026:5447"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://access.redhat.com/errata/RHSA-2026:6192"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://access.redhat.com/security/cve/CVE-2026-24842"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433645"
    },
    {
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-24842.json"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-59"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-59"
        }
      ],
      "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.