## https://sploitus.com/exploit?id=F5CD8598-D1BF-55A7-A32C-7A75312EC1A4
# CVE-2026-29786
**Research:** [Joshua van Rijswijk](https://github.com/Jvr2022)
## Description
This repository contains a **Proof of Concept (PoC)** for **CVE-2026-29786**, a vulnerability in the `tar` npm package that allows a crafted archive to create a **hardlink pointing outside the intended extraction directory**.
The issue occurs when a tar archive contains a **drive-relative link target** such as `C:../target.txt`. Because of the order in which the library performs validation and path normalization during extraction, the traversal protection can be bypassed.
After normalization, the path becomes `../target.txt`, allowing the link target to escape the configured extraction directory.
When the extracted file is written to, the external file is modified because both paths reference the same hardlink.
## Vulnerability Details
The vulnerability occurs in the extraction logic responsible for handling absolute paths (`Unpack[STRIPABSOLUTEPATH]`).
Traversal detection is performed **before** absolute path stripping.
Example malicious header value
`linkpath: C:../target.txt`
Processing behavior:
1. The path is split into segments for traversal detection.
2. The traversal check looks for `".."` segments.
3. Because the segment appears as `"C:.."`, the check does not trigger.
4. The function `stripAbsolutePath()` later removes the drive prefix (`C:`).
5. The resulting path becomes:
`../target.txt`
6. The hardlink target is then resolved relative to the extraction directory.
This allows the path to escape the intended extraction root.
## Impact
An attacker can overwrite files **outside the extraction directory** with the privileges of the process performing the extraction.
Potential real-world scenarios include:
⢠CLI tools extracting **untrusted tar archives**
⢠build pipelines processing **third-party artifacts**
⢠services importing **user-supplied tar files**
⢠package managers or plugin systems unpacking archives
## Usage
1. Install the vulnerable dependency
`npm install tar@7.5.9`
2. Run the PoC
`node poc.cjs`
The script generates a malicious tar archive and demonstrates that writing to the extracted file results in a file outside the extraction directory being overwritten.
## References
- GitHub Security Advisory
[https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96](https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96)
- CVE https://nvd.nist.gov/vuln/detail/CVE-2026-29786