Skip to content

[Aikido] Fix security issue in tar via minor version upgrade from 7.5.6 to 7.5.15 in npm#4

Open
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-33666059-rhup
Open

[Aikido] Fix security issue in tar via minor version upgrade from 7.5.6 to 7.5.15 in npm#4
aikido-autofix[bot] wants to merge 1 commit into
mainfrom
fix/aikido-security-update-packages-33666059-rhup

Conversation

@aikido-autofix

Copy link
Copy Markdown

Upgrade tar to fix path traversal vulnerabilities in hardlink handling that allow arbitrary file read/write access outside extraction directories.

⚠️ Breaking changes analysis not available for: tar

✅ 2 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue Severity           Description
CVE-2026-24842
HIGH
[tar] A path traversal vulnerability exists where hardlink security checks use different path resolution semantics than the actual creation logic, allowing attackers to bypass protections and create hardlinks to arbitrary files outside the extraction directory.
CVE-2026-26960
HIGH
[tar] An attacker-controlled tar archive can create hardlinks pointing outside the extraction directory, enabling arbitrary file read/write access as the extracting user. This bypasses path protections and allows direct filesystem access during archive extraction.
🤖 Remediation details

Fix security vulnerabilities in tar direct dependency

Short summary

This PR remediates two high-severity CVEs in the tar package. The fix is applied directly in npm/package.json (where tar is declared as a direct dependency) and is reflected in the updated npm/package-lock.json.

tar

tar is a direct dependency declared in npm/package.json. Its version spec was raised from ^7.5.3 to ^7.5.8 to establish a semver floor that excludes the two vulnerable releases, and npm install --package-lock-only resolved the lockfile to 7.5.15. The update was necessary because both CVE-2026-24842 (patched in 7.5.7) and CVE-2026-26960 (patched in 7.5.8) affect the previously resolved version 7.5.6; bumping the declared minimum to ^7.5.8 ensures neither vulnerability can be re-introduced by a future lockfile refresh within the same caret range.

Version changes

Package From To Why updated
tar ^7.5.3 → resolved 7.5.6 ^7.5.8 → resolved 7.5.15 Direct CVE fix (CVE-2026-24842, CVE-2026-26960)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants