GitHub Advisory — node-tar hardlink path traversal (CVE-2026-24842)

2026-01-31 • Category: Security

AI relevance: Node-based agent tooling (MCP servers, LangChainJS services, automation workers) often extracts archives in CI and at runtime; a crafted TAR can overwrite files that control tool permissions, prompts, or credentials for deployed agents.

• What happened: CVE-2026-24842 is a vulnerability in node-tar where the hardlink safety check and the actual hardlink creation logic resolve paths differently.
• Impact: an attacker can craft a malicious TAR archive that bypasses traversal protections and creates hardlinks to arbitrary files outside the extraction directory (i.e., write/overwrite primitives depending on extraction context).
• Why hardlinks matter: even if you think you “only extract into a temp dir,” hardlinks can target paths elsewhere on the filesystem if path validation is inconsistent.
• How this shows up in real life: CI pipelines, artifact handlers, plugin systems, and “import workflow / install pack” features routinely untar untrusted or semi-trusted inputs.
• Agent-stack wrinkle: attackers don’t need full RCE to cause damage; overwriting .env, agent config, tool allowlists, or prompt templates can shift an agent’s behavior or expose secrets.
• Patch signal: upstream shipped a fix that aligns hardlink validation with creation semantics and includes a commit referencing the issue.

Why it matters

• Supply chain is the new runtime: agent systems are assembled from many small services and scripts; build-time extraction bugs can quietly compromise production images.
• Multi-tenant “agent ops”: a shared automation box that runs multiple agents (or builds multiple customers’ workers) increases blast radius if one job can influence filesystem state.
• It’s a control-plane target: overwriting the files that define tool access (or the wrappers that enforce approval) can be as bad as direct secret theft.

What to do

1. Patch: identify where you use tar/node-tar (directly or transitively) and upgrade to a fixed version per the upstream advisory.
2. Reduce trust: treat any extracted archive as hostile; only untar content you expect (allowlist filenames) and avoid extracting into privileged paths.
3. Sandbox extraction: run archive handling in containers with read-only roots, no host mounts, and minimal filesystem permissions.
4. Detect drift: for agent runners, monitor unexpected changes to prompt templates, tool configs, and environment files (file integrity monitoring / signed configs).

Sources

• Upstream advisory: GHSA-34x7-hfp2-rc4v
• Fix commit: f4a7aa9 (node-tar)
• NVD: CVE-2026-24842
• GitLab advisory (aggregated): CVE-2026-24842 (tar)