PatchSiren cyber security CVE debrief
CVE-2026-29786 isaacs CVE debrief
CVE-2026-29786 is a high-severity vulnerability in node-tar, a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10. The vulnerability has a CVSS score of 8.2 and is classified as HIGH. The CVE was published on March 7, 2026, and modified on June 30, 2026.
- Vendor
- isaacs
- Product
- node-tar
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-07
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-07
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using node-tar in their applications should be aware of this vulnerability and take immediate action to patch. The vulnerability allows for file overwrite outside the current working directory, which can lead to security breaches. Node-tar users should prioritize patching to prevent potential attacks.
Technical summary
The vulnerability in node-tar allows an attacker to create a hardlink that points outside the extraction directory using a drive-relative link target. This enables file overwrite outside the current working directory during normal tar.x() extraction. The issue has been patched in version 7.5.10. The CVSS vector for this vulnerability is CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
High priority should be given to patching node-tar to version 7.5.10 or later. Additionally, defenders should monitor for potential attacks and implement compensating controls to prevent file overwrites.
Recommended defensive actions
- Patch node-tar to version 7.5.10 or later
- Monitor for potential attacks
- Implement compensating controls to prevent file overwrites
- Review and update security configurations
- Perform vulnerability scanning and inventory checks
Evidence notes
The CVE-2026-29786 vulnerability was published on March 7, 2026, and modified on June 30, 2026. The vulnerability has a CVSS score of 8.2 and is classified as HIGH. The issue has been patched in version 7.5.10 of node-tar.
Official resources
-
CVE-2026-29786 CVE record
CVE.org
-
CVE-2026-29786 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.