Share
## https://sploitus.com/exploit?id=F5CD8598-D1BF-55A7-A32C-7A75312EC1A4
# CVE-2026-29786

**Research:** [Joshua van Rijswijk](https://github.com/Jvr2022)

## Description

This repository contains a **Proof of Concept (PoC)** for **CVE-2026-29786**, a vulnerability in the `tar` npm package that allows a crafted archive to create a **hardlink pointing outside the intended extraction directory**.

The issue occurs when a tar archive contains a **drive-relative link target** such as `C:../target.txt`. Because of the order in which the library performs validation and path normalization during extraction, the traversal protection can be bypassed.

After normalization, the path becomes `../target.txt`, allowing the link target to escape the configured extraction directory.

When the extracted file is written to, the external file is modified because both paths reference the same hardlink.

## Vulnerability Details

The vulnerability occurs in the extraction logic responsible for handling absolute paths (`Unpack[STRIPABSOLUTEPATH]`).

Traversal detection is performed **before** absolute path stripping.

Example malicious header value

`linkpath: C:../target.txt`

Processing behavior:

1. The path is split into segments for traversal detection.

2. The traversal check looks for `".."` segments.

3. Because the segment appears as `"C:.."`, the check does not trigger.

4. The function `stripAbsolutePath()` later removes the drive prefix (`C:`).

5. The resulting path becomes:

`../target.txt`

6. The hardlink target is then resolved relative to the extraction directory.

This allows the path to escape the intended extraction root.

## Impact

An attacker can overwrite files **outside the extraction directory** with the privileges of the process performing the extraction.

Potential real-world scenarios include:

• CLI tools extracting **untrusted tar archives**
• build pipelines processing **third-party artifacts**
• services importing **user-supplied tar files**
• package managers or plugin systems unpacking archives

## Usage

1. Install the vulnerable dependency

`npm install tar@7.5.9`

2. Run the PoC

`node poc.cjs`

The script generates a malicious tar archive and demonstrates that writing to the extracted file results in a file outside the extraction directory being overwritten.

## References

- GitHub Security Advisory
[https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96](https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96)
- CVE https://nvd.nist.gov/vuln/detail/CVE-2026-29786