CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-26960 |
HIGH |
tar |
6.2.1 |
7.5.8 |
2026-02-20T02:16:53.883Z |
2026-02-20T10:19:04.799927151Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/nodejs:latest |
public.ecr.aws/lambda/nodejs@sha256:75324e6335efc458856ddcb49429a5806fa66c581529746296ded84f0f8fdd92 |
public.ecr.aws/lambda/nodejs:24 |
public.ecr.aws/lambda/nodejs@sha256:2ae0aecfac970190fe1fa2f9de439fb35340d285eb29a715ce6daf18eda7f54c |
public.ecr.aws/lambda/nodejs:22 |
public.ecr.aws/lambda/nodejs@sha256:75324e6335efc458856ddcb49429a5806fa66c581529746296ded84f0f8fdd92 |
public.ecr.aws/lambda/nodejs:20 |
public.ecr.aws/lambda/nodejs@sha256:b1d950b97aaedc054c6c9c5409c98cf5c8f29de370a6f344113e1aeeaa441707 |
Description
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Remediation Steps
- Update the affected package
tar from version 6.2.1 to 7.5.8.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
