The vulnerability identified as CVE-2026-29786 affects the node-tar package, a widely used Node.js library for handling tar archives. Prior to version 7.5.10, node-tar improperly limits pathname resolution when extracting tar files, specifically failing to correctly handle drive-relative hardlink targets such as 'C:../target.txt'. This flaw allows an attacker to create a tar archive that, when extracted, can write files outside the intended extraction directory by exploiting path traversal via hardlinks. This behavior violates the principle of restricting file operations to a safe directory, enabling potential overwriting of arbitrary files on the host system. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-59 (Link Following). Exploitation requires a victim to extract a malicious tarball, which could be delivered via social engineering or compromised software distributions. The CVSS 4.0 base score is 8.2, reflecting high severity due to the potential for integrity and availability impact, ease of exploitation without privileges, and the broad scope of affected systems using node-tar. The issue was publicly disclosed on March 7, 2026, and patched in node-tar version 7.5.10. No known exploits have been reported in the wild to date.

This vulnerability poses a significant risk to organizations relying on node-tar for archive extraction, especially in automated deployment pipelines, CI/CD systems, or any environment where tar files are extracted from untrusted or semi-trusted sources. Successful exploitation can lead to arbitrary file overwrites outside the extraction directory, potentially allowing attackers to modify critical system files, inject malicious code, or disrupt application functionality. This compromises system integrity and could lead to denial of service or further escalation if critical configuration or executable files are overwritten. The impact is amplified in environments where node-tar is used with elevated privileges or in production systems. Given node-tar's popularity in the Node.js ecosystem, a wide range of organizations, from software vendors to cloud service providers, could be affected. Although no active exploitation is known, the vulnerability's nature and ease of exploitation make it a high-risk issue requiring prompt remediation.

Organizations should immediately upgrade all instances of node-tar to version 7.5.10 or later to ensure the vulnerability is patched. Additionally, implement strict validation and sanitization of tar archives before extraction, especially those received from untrusted or external sources. Employ sandboxed or isolated environments for archive extraction to limit potential damage from malicious files. Integrate automated scanning tools to detect vulnerable node-tar versions in software dependencies and CI/CD pipelines. Educate developers and operations teams about the risks of extracting archives from unverified sources. Where possible, use alternative archive formats or libraries with stronger security guarantees. Monitor systems for unexpected file modifications that could indicate exploitation attempts. Finally, maintain robust backup and recovery procedures to restore systems in case of compromise.