CVE-2026-23745
Essential information
- Published
- 16/01/2026 22:16
- Modified
- 16/01/2026 22:16
- Author
- —
- Creator
- —
- CVSS
- 8.2 HIGH (v3) 8.2 HIGH (v4.0)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
—
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Privileges required
- —
- User interaction
- —
- Scope
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- LOCAL
- Attack complexity
- LOW
- Attack requirements
- NONE
- Privileges required
- NONE
- User interaction
- ACTIVE
- Confidentiality (V)
- HIGH
- Confidentiality (S)
- HIGH
- Integrity (V)
- LOW
- Integrity (S)
- LOW
- Availability (V)
- NONE
- Availability (S)
- NONE
- Exploit maturity
- NOT_DEFINED
Description
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
NVD status
- Status
- Received — CVE has been recently published to the CVE List and has been received by the NVD.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| node-tar / node-tar | cpe:2.3:a:node-tar:node-tar:<7.5.3:*:*:*:*:*:*:* |
| node-tar / node-tar | cpe:2.3:a:node-tar:node-tar:7.5.3:*:*:*:*:*:*:* |