CVE-2024-28863
Generating a large number of sub-folders can consume memory on the
system and even crash the Node.js client within a few seconds using
a path with too many sub-folders inside.
CVE-2026-23745
When preservePaths is false, the linkpath of Link (hardlink) and
SymbolicLink entries fail to be sanitized, allowing malicious
archives to bypass the extraction root restriction, leading to
arbitrary file overwrites via hardlinks and symlink poisoning via
absolute symlink targets.
The fix for this issue introduces multiple of the following
vulnerabilties.
CVE-2026-24842
The security check for hardlink entries allows an attacker to craft
a malicious TAR archive that bypasses path traversal protections and
creates hardlinks to arbitrary files outside the extraction
directory.
CVE-2026-26960
An attacker-controlled archive can create a hardlink inside the
extraction directory that points to a file outside the extraction
Get the latest Linux and open source security news straight to your inbox.