node-tar hardlink escape enables arbitrary file read/write

TL;DR — A hardlink escape in the tar npm package allows malicious archives to read and write arbitrary files outside the extraction directory.

What happened

The tar npm package (node-tar) is a widely-used Node.js library for creating and extracting tar archives, with over 20 million weekly downloads. A vulnerability in node-tar (tar npm package) allows attacker-controlled tar archives to create a hardlink inside the extraction directory pointing to files outside the intended root, enabling arbitrary file read and write as the extracting user.

This is a well-known attack vector against archive extraction libraries — Go's archive/tar, Python's tarfile, and Rust's tar crate have all had similar path-escape bugs. If your service extracts untrusted archives, this is a pattern worth auditing across your stack.

Who is impacted

• Projects using npm package tar for extraction (directly or transitively) that may extract untrusted archives.
• Affected versions: tar < 7.5.8.
• Severity: CVSS 3.1 7.1 (High).

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
• Audit code paths where tar.extract() processes archives from external users (uploads, CI artifacts, build caches, plugin content).
• Consider extracting in a sandboxed context (container/namespace with limited filesystem access) if untrusted archives must be processed.