CVE-2026-29786 is a path traversal vulnerability classified under CWE-22 and CWE-59 affecting the isaacs node-tar package, a widely used tar archive utility for Node.js environments. Prior to version 7.5.10, node-tar improperly limits pathnames during extraction, allowing specially crafted tar archives to create hardlinks that point outside the intended extraction directory. Specifically, by using a drive-relative link target such as "C:../target.txt", an attacker can cause the extraction process to overwrite arbitrary files outside the current working directory. This occurs because the path validation logic fails to correctly sanitize or restrict such drive-relative paths, enabling directory traversal beyond the extraction root. The vulnerability does not require privileges or authentication but does require the victim to extract a malicious tar archive, implying user interaction. The CVSS 4.0 vector (AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L) indicates local attack vector with low complexity, no privileges required, but user interaction needed, and high impact on integrity and availability. The flaw can lead to arbitrary file overwrite, potentially allowing attackers to modify critical files, inject malicious code, or disrupt application behavior. The vulnerability was publicly disclosed on March 7, 2026, and patched in node-tar version 7.5.10. No known exploits have been reported in the wild to date, but the risk remains significant due to the widespread use of node-tar in JavaScript development and deployment pipelines.

The primary impact of this vulnerability is the potential for arbitrary file overwrite outside the intended extraction directory, which can compromise system integrity and availability. Attackers could overwrite critical configuration files, inject malicious scripts, or disrupt application functionality, leading to potential system compromise or denial of service. Since node-tar is commonly used in Node.js environments for package management, deployment, and build processes, many organizations worldwide that rely on JavaScript ecosystems are at risk. The requirement for user interaction (extracting a malicious tar archive) limits remote exploitation but does not eliminate risk, especially in environments where untrusted archives are processed. The vulnerability could be leveraged in supply chain attacks, malicious package distributions, or insider threats. The high CVSS score reflects the severity of potential impacts on confidentiality (low), integrity (high), and availability (low to medium). Organizations with automated deployment pipelines or CI/CD systems using vulnerable node-tar versions may face elevated risk of disruption or compromise.

To mitigate this vulnerability, organizations should immediately upgrade all instances of node-tar to version 7.5.10 or later, where the path traversal flaw has been patched. Additionally, implement strict validation and sanitization of all tar archives before extraction, especially those sourced from untrusted or external origins. Employ sandboxed or isolated environments for archive extraction to limit potential damage from malicious files. Integrate security scanning tools in CI/CD pipelines to detect usage of vulnerable node-tar versions and malicious archive contents. Educate developers and operations teams about the risks of extracting untrusted archives and enforce policies restricting such actions. Monitor file system changes and audit logs for unexpected modifications that could indicate exploitation attempts. Finally, consider using alternative archive extraction libraries with stronger security guarantees if upgrading node-tar is not immediately feasible.