PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-29786 isaacs CVE debrief

CVE-2026-29786 is a high-severity vulnerability in node-tar, a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10. The vulnerability has a CVSS score of 8.2 and is classified as HIGH. The CVE was published on March 7, 2026, and modified on June 30, 2026.

Vendor
isaacs
Product
node-tar
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-07
Original CVE updated
2026-06-30
Advisory published
2026-03-07
Advisory updated
2026-06-30

Who should care

Developers and administrators using node-tar in their applications should be aware of this vulnerability and take immediate action to patch. The vulnerability allows for file overwrite outside the current working directory, which can lead to security breaches. Node-tar users should prioritize patching to prevent potential attacks.

Technical summary

The vulnerability in node-tar allows an attacker to create a hardlink that points outside the extraction directory using a drive-relative link target. This enables file overwrite outside the current working directory during normal tar.x() extraction. The issue has been patched in version 7.5.10. The CVSS vector for this vulnerability is CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High priority should be given to patching node-tar to version 7.5.10 or later. Additionally, defenders should monitor for potential attacks and implement compensating controls to prevent file overwrites.

Recommended defensive actions

  • Patch node-tar to version 7.5.10 or later
  • Monitor for potential attacks
  • Implement compensating controls to prevent file overwrites
  • Review and update security configurations
  • Perform vulnerability scanning and inventory checks

Evidence notes

The CVE-2026-29786 vulnerability was published on March 7, 2026, and modified on June 30, 2026. The vulnerability has a CVSS score of 8.2 and is classified as HIGH. The issue has been patched in version 7.5.10 of node-tar.

Official resources

This article is AI-assisted and based on the supplied source corpus.