Main Vulnerability Database Vulnerabilities #VU123629

#VU123629 Link following in node-tar - CVE-2026-29786

Published: March 9, 2026 / Updated: March 13, 2026

Vulnerability identifier: #VU123629

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/U:Amber

CVE-ID: CVE-2026-29786

CWE-ID: CWE-59

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
node-tar

Software vendor:
isaacs

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to insecure handling of hard links inside archives. A remote attacker can supply a specially crafted archive to the application that can overwrite arbitrary files on the system with privileges of the process performing data extraction.

Remediation

Install updates from vendor's website.

External links

https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96

#VU123629 Link following in node-tar - CVE-2026-29786

Description

Remediation

External links

Please verify you're human