CVE-2026-24842 is a path traversal vulnerability affecting the node-tar package for Node.js, specifically in versions before 7.5.7. The vulnerability stems from inconsistent path resolution semantics between the security check for hardlink entries and the actual hardlink creation logic. During extraction of TAR archives, node-tar attempts to prevent path traversal by validating paths of hardlink entries to ensure they remain within the extraction directory. However, the mismatch in path resolution allows an attacker to craft a malicious TAR archive containing hardlink entries that bypass these checks. As a result, the extraction process can create hardlinks pointing to arbitrary files outside the intended directory, potentially overwriting or exposing sensitive files on the host system. This can lead to unauthorized disclosure of confidential information if sensitive files are linked and accessed. The vulnerability does not require privileges or authentication but does require the victim to extract a malicious archive, implying user interaction. The CVSS v3.1 score is 8.2 (high), reflecting the network attack vector, low attack complexity, no privileges required, but user interaction needed, and a scope change with high confidentiality impact and low integrity impact. No known exploits are reported in the wild yet. The issue is fixed in node-tar version 7.5.7, which aligns path resolution semantics for security checks and hardlink creation, effectively preventing path traversal via hardlinks.

For European organizations, this vulnerability poses a significant risk to confidentiality, especially for those relying on node-tar in software development, continuous integration/continuous deployment (CI/CD) pipelines, or any automated systems that extract TAR archives from untrusted or semi-trusted sources. Attackers could craft malicious TAR files that, when extracted, create hardlinks to sensitive files outside the extraction directory, potentially exposing credentials, configuration files, or other sensitive data. This could lead to data breaches or facilitate further attacks such as privilege escalation or lateral movement if sensitive files are overwritten or exposed. The integrity impact is limited but not negligible, as attackers might overwrite files via hardlinks in some scenarios. Availability is not directly impacted. The requirement for user interaction (extracting the malicious archive) limits automated exploitation but does not eliminate risk, especially in environments where automated extraction occurs. Organizations with large Node.js developer communities or those using node-tar in production environments are at higher risk. The vulnerability could also affect supply chain security if malicious TAR archives are introduced into build or deployment processes.

European organizations should immediately upgrade all instances of node-tar to version 7.5.7 or later to ensure the vulnerability is patched. Additionally, organizations should implement strict validation and sanitization of TAR archives before extraction, especially those obtained from external or untrusted sources. Employing sandboxed or isolated environments for archive extraction can limit potential damage from exploitation. Monitoring and logging TAR extraction activities can help detect suspicious behavior. Incorporating integrity checks such as cryptographic signatures on TAR archives can prevent unauthorized or malicious archives from being processed. For CI/CD pipelines, ensure that dependencies and build artifacts are sourced from trusted repositories and scanned for vulnerabilities. Educate developers and system administrators about the risks of extracting untrusted archives and enforce policies restricting such actions. Finally, conduct audits of existing systems to identify any use of vulnerable node-tar versions and remediate promptly.