CVE-2026-23745 is a path traversal vulnerability classified under CWE-22 affecting the node-tar library for Node.js versions earlier than 7.5.3. Node-tar is widely used for handling tar archives in JavaScript environments. The vulnerability stems from the library's failure to properly sanitize the linkpath attribute of hardlink and symbolic link entries during extraction when the preservePaths option is set to false, which is the default secure setting. This improper sanitization allows maliciously crafted tar archives to escape the intended extraction directory, enabling attackers to overwrite arbitrary files on the filesystem or create poisoned symbolic links. Such actions can lead to privilege escalation, code execution, or disruption of system integrity depending on the files overwritten or linked. The CVSS 4.0 score of 8.2 reflects a high severity, with an attack vector classified as local (requiring user interaction to extract a malicious archive), low attack complexity, no privileges required, and high impact on confidentiality and system control. Although no exploits have been reported in the wild yet, the vulnerability poses a significant risk to any Node.js application that processes untrusted tar archives using node-tar. The issue was addressed in version 7.5.3 of node-tar, which includes proper sanitization of linkpaths to prevent directory traversal and symlink attacks. Organizations using affected versions should prioritize upgrading and consider additional controls such as validating archive contents and restricting file system permissions to mitigate potential exploitation.

For European organizations, this vulnerability can have serious consequences, particularly for those relying on Node.js applications that handle tar archives, such as software development firms, cloud service providers, and web hosting companies. Successful exploitation could lead to arbitrary file overwrites, allowing attackers to modify critical system or application files, inject malicious code, or disrupt services. This compromises system integrity and could lead to data breaches or service outages. The requirement for user interaction (extracting a malicious archive) means social engineering or supply chain attacks could be vectors. Given the widespread use of Node.js in European tech sectors, the vulnerability could impact a broad range of organizations, from startups to large enterprises. The potential for symlink poisoning also raises risks for containerized environments and CI/CD pipelines that rely on tar extraction, potentially affecting development and deployment workflows. While no known exploits exist yet, the high CVSS score and ease of exploitation warrant immediate attention to prevent future attacks.

1. Upgrade node-tar to version 7.5.3 or later immediately to apply the official fix for this vulnerability. 2. Implement strict validation of tar archive contents before extraction, including checking for absolute paths, linkpaths, and symbolic links that could escape the intended extraction directory. 3. Employ sandboxing or containerization for processes that handle archive extraction to limit the impact of potential file overwrites. 4. Restrict file system permissions for the user accounts performing extraction to minimize the ability to overwrite sensitive files. 5. Educate developers and system administrators about the risks of extracting untrusted archives and encourage the use of trusted sources. 6. Integrate security scanning tools into CI/CD pipelines to detect usage of vulnerable node-tar versions. 7. Monitor logs and file integrity to detect unusual file modifications that could indicate exploitation attempts. 8. Consider using alternative archive extraction libraries with stronger security guarantees if upgrading is not immediately feasible.