Skip to content

chore(deps): update dependency tar to v7.5.8 [security]#521

Merged
academo merged 1 commit into
mainfrom
renovate/npm-tar-vulnerability
Feb 18, 2026
Merged

chore(deps): update dependency tar to v7.5.8 [security]#521
academo merged 1 commit into
mainfrom
renovate/npm-tar-vulnerability

Conversation

@renovate-sh-app
Copy link
Copy Markdown
Contributor

@renovate-sh-app renovate-sh-app Bot commented Feb 18, 2026

This PR contains the following updates:

Package Change Age Confidence
tar 7.5.77.5.8 age confidence

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction

CVE-2026-26960 / GHSA-83g3-92jg-28cx

More information

Details

Summary

tar.extract() in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options.

This enables arbitrary file read and write as the extracting user (no root, no chmod, no preservePaths).

Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive.

Details

The bypass chain uses two symlinks plus one hardlink:

  1. a/b/c/up -> ../..
  2. a/b/escape -> c/up/../..
  3. exfil (hardlink) -> a/b/escape/<target-relative-to-parent-of-extract>

Why this works:

  • Linkpath checks are string-based and do not resolve symlinks on disk for hardlink target safety.

    • See STRIPABSOLUTEPATH logic in:
      • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:255
      • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:268
      • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:281

  • Hardlink extraction resolves target as path.resolve(cwd, entry.linkpath) and then calls fs.link(target, destination).

    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:566
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:567
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:703

  • Parent directory safety checks (mkdir + symlink detection) are applied to the destination path of the extracted entry, not to the resolved hardlink target path.

    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:617
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:619
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:27
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:101

As a result, exfil is created inside extraction root but linked to an external file. The PoC confirms shared inode and successful read+write via exfil.

PoC

hardlink.js
Environment used for validation:

  • Node: v25.4.0
  • tar: 7.5.7
  • OS: macOS Darwin 25.2.0
  • Extract options: defaults (tar.extract({ file, cwd }))

Steps:

  1. Prepare/locate a tar module. If require('tar') is not available locally, set TAR_MODULE to an absolute path to a tar package directory.

  2. Run:

TAR_MODULE="$(cd '../tar-audit-setuid - CVE/node_modules/tar' && pwd)" node hardlink.js
  1. Expected vulnerable output (key lines):
same_inode=true
read_ok=true
write_ok=true
result=VULNERABLE

Interpretation:

  • same_inode=true: extracted exfil and external secret are the same file object.
  • read_ok=true: reading exfil leaks external content.
  • write_ok=true: writing exfil modifies external file.
Impact

Vulnerability type:

  • Arbitrary file read/write via archive extraction path confusion and link resolution.

Who is impacted:

  • Any application/service that extracts attacker-controlled tar archives with Node tar defaults.
  • Impact scope is the privileges of the extracting process user.

Potential outcomes:

  • Read sensitive files reachable by the process user.
  • Overwrite writable files outside extraction root.
  • Escalate impact depending on deployment context (keys, configs, scripts, app data).

Severity

  • CVSS Score: Unknown
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

isaacs/node-tar (tar)

v7.5.8

Compare Source

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

Need help?

You can ask for more help in the following Slack channel: #proj-renovate-self-hosted. In that channel you can also find ADR and FAQ docs in the Resources section.

@renovate-sh-app
chore(deps): update dependency tar to v7.5.8 [security]
8986647 
| datasource | package | from  | to    |
| ---------- | ------- | ----- | ----- |
| npm        | tar     | 7.5.7 | 7.5.8 |


Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@renovate-sh-app renovate-sh-app Bot requested review from a team as code owners February 18, 2026 05:56
@renovate-sh-app renovate-sh-app Bot requested a review from Ukochka February 18, 2026 05:56
@grafana-plugins-platform-bot grafana-plugins-platform-bot Bot moved this from 📬 Triage to 🔬 In review in Grafana Catalog Team Feb 18, 2026
@academo academo merged commit e968649 into main Feb 18, 2026
7 checks passed
@academo academo deleted the renovate/npm-tar-vulnerability branch February 18, 2026 09:41
@github-project-automation github-project-automation Bot moved this from 🔬 In review to 🚀 Shipped in Grafana Catalog Team Feb 18, 2026
s4kh pushed a commit that referenced this pull request Feb 20, 2026
@renovate-sh-app @s4kh
chore(deps): update dependency tar to v7.5.8 [security] (#521)
229b858 
| datasource | package | from  | to    |
| ---------- | ------- | ----- | ----- |
| npm        | tar     | 7.5.7 | 7.5.8 |

Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
@grafana-plugins-platform-bot grafana-plugins-platform-bot Bot mentioned this pull request May 8, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@academo academo academo approved these changes

@Ukochka Ukochka Awaiting requested review from Ukochka Ukochka was automatically assigned from grafana/plugins-platform-frontend

@toddtreece toddtreece Awaiting requested review from toddtreece toddtreece was automatically assigned from grafana/plugins-platform-backend

@wbrowne wbrowne Awaiting requested review from wbrowne wbrowne was automatically assigned from grafana/plugins-platform-backend

@xnyo xnyo Awaiting requested review from xnyo xnyo was automatically assigned from grafana/plugins-platform-backend

Assignees

No one assigned

Labels

automerge-security-update severity:UNKNOWN

Projects

Grafana Catalog Team
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@academo