What is CVE-2026-23745?

CVE-2026-23745 is a vulnerability in Isaacs Node-tar, classified under Path Traversal. Published 2026-01-16.

Is CVE-2026-23745 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Isaacs Node-tar

CVE-2026-23745

node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass t…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (1.4th percentile) — read the EPSS interpretation.

Affected products

Isaacs Node-tar — versions < 7.5.3

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

Novem13th/CVE-2026-23745-via-graphql-DEMO

References

https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97 (x_refsource_CONFIRM)
https://github.com/isaacs/node-tar/commit/340eb285b6d986e91969a1170d7fe9b0face405e (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-23745?: CVE-2026-23745 is a vulnerability in Isaacs Node-tar, classified under Path Traversal. Published 2026-01-16.
Is CVE-2026-23745 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.