CVE-2026-23745 is a path traversal vulnerability classified under CWE-22 affecting the node-tar library, a widely used tar archive utility for Node.js. Versions up to 7.5.2 fail to properly sanitize the linkpath attribute of Link (hardlink) and SymbolicLink entries when the preservePaths option is set to false, which is the default secure setting. This improper sanitization allows maliciously crafted tar archives to escape the intended extraction directory, enabling attackers to overwrite arbitrary files on the filesystem. The vulnerability enables two main attack vectors: arbitrary file overwrite via hardlinks and symlink poisoning through absolute symbolic link targets. Exploiting this flaw can compromise system integrity by modifying critical files or planting malicious symlinks that redirect legitimate processes to attacker-controlled files. The CVSS 4.0 score of 8.2 reflects a high severity due to the potential for significant impact on confidentiality and integrity, despite requiring user interaction and local access vector. No authentication or privileges are needed, increasing the risk in multi-user or shared environments. The vulnerability was publicly disclosed on January 16, 2026, and fixed in node-tar version 7.5.3. While no known exploits have been reported in the wild, the widespread use of node-tar in Node.js applications and development environments makes this a critical issue to address promptly.

For European organizations, this vulnerability poses a substantial risk, especially for those relying on Node.js applications that utilize node-tar for archive extraction. Successful exploitation can lead to arbitrary file overwrites, potentially allowing attackers to modify configuration files, inject malicious code, or disrupt application functionality. This can result in data integrity loss, application downtime, and potential lateral movement within networks. Critical sectors such as finance, healthcare, and government services that depend on Node.js for backend services or DevOps pipelines could face operational disruptions and data breaches. The requirement for user interaction and local access somewhat limits remote exploitation but does not eliminate risk in environments where users handle untrusted archives or where attackers have gained limited access. Additionally, symlink poisoning can be leveraged to escalate privileges or evade detection by redirecting file operations to attacker-controlled locations. The absence of known exploits currently provides a window for mitigation, but the high severity score underscores the urgency for European organizations to act.

European organizations should immediately upgrade all instances of node-tar to version 7.5.3 or later to remediate this vulnerability. Beyond patching, implement strict validation and sanitization of all archive files before extraction, especially those received from untrusted sources. Employ sandboxed or containerized environments for archive extraction to limit potential damage from malicious files. Enforce the principle of least privilege for users and processes handling archive extraction to reduce the impact of any successful exploit. Monitor file system changes and employ integrity verification tools to detect unauthorized modifications. Incorporate security awareness training for developers and system administrators about the risks of handling untrusted archives and the importance of timely patching. Finally, review and harden DevOps pipelines and CI/CD processes that utilize node-tar to prevent supply chain attacks leveraging this vulnerability.