## Critical Path Traversal Flaws in Tar Library Demand Immediate Upgrade to v7.5.11 A critical security update for the widely-used `tar` library patches multiple high-severity vulnerabilities that allow attackers to bypass directory protections and write to arbitrary files on a system. The flaws, centered in the library's handling of hardlinks and symlinks, create a direct path for malicious archives to compromise file integrity outside designated extraction folders. This is not a theoretical risk; the vulnerabilities enable precise exploitation to overwrite or link to sensitive system files, posing a severe threat to any application processing untrusted tar archives. The GitHub issue details a mandatory minor version upgrade from `tar` v7.4.3 to v7.5.11 to resolve six documented CVEs. Two of the most severe are CVE-2026-24842 and CVE-2026-26960, both rated HIGH. The core failure involves a discrepancy in path resolution logic: security checks for hardlinks use different semantics than the actual creation logic, allowing an attacker to craft an archive that slips past safeguards. This bypass enables the creation of hardlinks pointing to any file on the filesystem, effectively granting write access outside the intended extraction directory. The `tar` library is a foundational dependency for countless Node.js applications and build tools, making this a supply chain security event with broad implications. Developers and security teams must treat this as an urgent patch, as the exploitation vector is straightforward—processing a maliciously crafted archive. Failure to upgrade leaves applications vulnerable to data corruption, privilege escalation, and full system compromise, depending on the context in which the tar library is executed. The fix, while a minor version bump, is a non-negotiable security requirement. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, vulnerability, supply-chain, nodejs, open-source - **Credibility**: unverified - **Published**: 2026-03-26 00:27:24 - **ID**: 34280 - **URL**: https://whisperx.ai/en/intel/34280