CVE-2026-23745 — MEDIUM (6.1)

Q: How severe is CVE-2026-23745?

CVE-2026-23745 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-23745?

Check the references section above for vendor advisories and patch information. Affected products include: Isaacs Tar.

Vulnerability Description

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Isaacs	Tar	< 7.5.3

Related Weaknesses (CWE)

CWE-22

References

https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face40Patch
https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97ExploitPatchVendor Advisory

FAQ

What is CVE-2026-23745?

CVE-2026-23745 is a vulnerability with a CVSS score of 6.1 (MEDIUM). node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). Thi...

How severe is CVE-2026-23745?

CVE-2026-23745 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-23745?

Check the references section above for vendor advisories and patch information. Affected products include: Isaacs Tar.