CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-23745 |
HIGH |
tar |
6.2.1 |
7.5.3 |
2026-01-16T22:16:26.83Z |
2026-01-17T10:18:18.92322961Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/nodejs:latest |
public.ecr.aws/lambda/nodejs@sha256:94f6119a0b4084fe51c753798d2f11c29501fdd006d8baf389c148a807dc5f82 |
public.ecr.aws/lambda/nodejs:24 |
public.ecr.aws/lambda/nodejs@sha256:e29eb34a5953d435c76e593927ba030ad308b3a0dafb99fdb23df3adb584d2b6 |
public.ecr.aws/lambda/nodejs:22 |
public.ecr.aws/lambda/nodejs@sha256:94f6119a0b4084fe51c753798d2f11c29501fdd006d8baf389c148a807dc5f82 |
public.ecr.aws/lambda/nodejs:20 |
public.ecr.aws/lambda/nodejs@sha256:04683e8010cf2bbefade4a192e51100f535fc48a0c34b91234ea64d6ae25468b |
Description
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Remediation Steps
- Update the affected package
tar from version 6.2.1 to 7.5.3.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
