DEBIAN-CVE-2026-24842

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-24842
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24842.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-24842
Upstream
Published
2026-01-28T01:16:14.947Z
Modified
2026-01-28T10:30:03.564215Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N CVSS Calculator
Summary
[none]
Details

node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.

References

Affected packages

Debian:11 / node-tar

Package

Name
node-tar
Purl
pkg:deb/debian/node-tar?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*
6.0.5+ds1+~cs11.3.9-1
6.0.5+ds1+~cs11.3.9-1+deb11u1
6.0.5+ds1+~cs11.3.9-1+deb11u2
6.1.0+ds1+~cs11.3.9-1
6.1.7+~cs11.3.10-1
6.1.11+~cs11.2.13-1~bpo11+1
6.1.11+~cs11.3.10-1~bpo11+1
6.1.11+~cs11.3.10-1
6.1.11+ds1+~cs6.0.6-1
6.1.11+ds1+~cs6.0.6-2
6.1.12+~cs6.1.5-1
6.1.13+~cs7.0.5-1
6.1.13+~cs7.0.5-2
6.1.13+~cs7.0.5-3
6.1.13+~cs7.0.5-4
6.2.1+~cs7.0.8-1
6.2.1+ds1+~cs6.1.13-1
6.2.1+ds1+~cs6.1.13-2
6.2.1+ds1+~cs6.1.13-3
6.2.1+ds1+~cs6.1.13-4
6.2.1+ds1+~cs6.1.13-5
6.2.1+ds1+~cs6.1.13-6
6.2.1+ds1+~cs6.1.13-7

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24842.json"

Debian:12 / node-tar

Package

Name
node-tar
Purl
pkg:deb/debian/node-tar?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*
6.1.13+~cs7.0.5-1
6.1.13+~cs7.0.5-2
6.1.13+~cs7.0.5-3
6.1.13+~cs7.0.5-4
6.2.1+~cs7.0.8-1
6.2.1+ds1+~cs6.1.13-1
6.2.1+ds1+~cs6.1.13-2
6.2.1+ds1+~cs6.1.13-3
6.2.1+ds1+~cs6.1.13-4
6.2.1+ds1+~cs6.1.13-5
6.2.1+ds1+~cs6.1.13-6
6.2.1+ds1+~cs6.1.13-7

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24842.json"

Debian:13 / node-tar

Package

Name
node-tar
Purl
pkg:deb/debian/node-tar?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*
6.2.1+~cs7.0.8-1
6.2.1+ds1+~cs6.1.13-1
6.2.1+ds1+~cs6.1.13-2
6.2.1+ds1+~cs6.1.13-3
6.2.1+ds1+~cs6.1.13-4
6.2.1+ds1+~cs6.1.13-5
6.2.1+ds1+~cs6.1.13-6
6.2.1+ds1+~cs6.1.13-7

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24842.json"

Debian:14 / node-tar

Package

Name
node-tar
Purl
pkg:deb/debian/node-tar?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

6.*
6.2.1+~cs7.0.8-1
6.2.1+ds1+~cs6.1.13-1
6.2.1+ds1+~cs6.1.13-2
6.2.1+ds1+~cs6.1.13-3
6.2.1+ds1+~cs6.1.13-4
6.2.1+ds1+~cs6.1.13-5
6.2.1+ds1+~cs6.1.13-6
6.2.1+ds1+~cs6.1.13-7

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-24842.json"