CVE-2026-24842
Vulnerability
CVE-2026-24842
node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
ecosystem: redhat:8, redhat:9, redhat:10A flaw was found in node-tar, a Node.js module for handling TAR archives. This vulnerability allows a remote attacker to bypass path traversal protections by crafting a malicious TAR archive. The security check for hardlink entries uses different path resolution logic than the actual hardlink creation, enabling the attacker to create hardlinks to arbitrary files outside the intended extraction directory. This could lead to unauthorized information disclosure or further system compromise.
References
- secalert@redhat.com: https://access.redhat.com/security/cve/CVE-2026-24842
- secalert@redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2433645
- secalert@redhat.com: https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46
- secalert@redhat.com: https://github.com/isaacs/node-tar/security/advisories/GHSA-34x7-hfp2-rc4v
- secalert@redhat.com: https://nvd.nist.gov/vuln/detail/CVE-2026-24842
- secalert@redhat.com: https://www.cve.org/CVERecord?id=CVE-2026-24842
type: vendor
source: secalert@redhat.com
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
| AV | Network | |
|---|---|---|
| AC | Low | |
| PR | None | |
| UI | Required | |
| S | Changed | |
| C | High | |
| I | Low | |
| A | None |
source: secalert@redhat.com
Improper Link Resolution Before File Access ('Link Following')
source: secalert@redhat.com
published: 2026-01-28 00:20:13
modified: 2026-02-02 08:21:00
Detection
redhat-vex
OR
 
nodejs
package type: binary
 
nodejs-devel
package type: binary
 
nodejs-docs
package type: binary
 
nodejs-full-i18n
package type: binary
 
nodejs-libs
package type: binary
 
nodejs-npm
package type: binary
 
sgx-common
package type: binary
 
sgx-libs
package type: binary
 
sgx-mpa
package type: binary
 
sgx-pckid-tool
package type: binary
 
tdx-qgs
package type: binary
 
nodejs22
package type: source
tag: rhel-10:b80bcfb1-921f-0310-88a1-5d0eaf9eecb5
redhat-vex
OR
 
grafana
package type: binary
 
grafana-azure-monitor
package type: binary
 
grafana-cloudwatch
package type: binary
 
grafana-elasticsearch
package type: binary
 
grafana-graphite
package type: binary
 
grafana-influxdb
package type: binary
 
grafana-loki
package type: binary
 
grafana-mssql
package type: binary
 
grafana-mysql
package type: binary
 
grafana-opentsdb
package type: binary
 
grafana-postgres
package type: binary
 
grafana-prometheus
package type: binary
 
grafana-selinux
package type: binary
 
grafana-stackdriver
package type: binary
 
grafana
package type: source
tag: rhel-8-including-unpatched:a6618379-c998-bcc2-6548-61c943711fea
redhat-vex
OR
 
grafana
package type: binary
 
grafana-selinux
package type: binary
 
nodejs:20::nodejs
package type: binary
 
nodejs:20::nodejs-docs
package type: binary
 
nodejs:20::nodejs-full-i18n
package type: binary
 
nodejs:20::nodejs-libs
package type: binary
 
nodejs:20::npm
package type: binary
 
nodejs:22::nodejs
package type: binary
 
nodejs:22::nodejs-docs
package type: binary
 
nodejs:22::nodejs-full-i18n
package type: binary
 
nodejs:22::nodejs-libs
package type: binary
 
nodejs:22::npm
package type: binary
 
polkit-devel
package type: binary
 
polkit-docs
package type: binary
 
polkit-libs
package type: binary
 
sgx-common
package type: binary
 
sgx-libs
package type: binary
 
sgx-mpa
package type: binary
 
sgx-pckid-tool
package type: binary
 
tdx-qgs
package type: binary
 
grafana
package type: source
 
nodejs:20::nodejs
package type: source
 
nodejs:22::nodejs
package type: source
 
polkit
package type: source
tag: rhel-9-including-unpatched:3391f347-998d-8236-1771-5d3de3af53ff
Data Sources
- RedHat Enterprise Linux CSAF VEX
redhat-vex
