CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-24842 |
HIGH |
tar |
6.2.1 |
7.5.7 |
2026-01-28T01:16:14.947Z |
2026-01-29T10:18:18.7579844Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/nodejs:latest |
public.ecr.aws/lambda/nodejs@sha256:14e36a4a5253050c9aa85a9647579818e7354669107c67af8575a15396fb8c4d |
public.ecr.aws/lambda/nodejs:24 |
public.ecr.aws/lambda/nodejs@sha256:84657f3edb98fbf362dbd13133cf8dfd42da7fbd19b08f25d82ce6385e6044a5 |
public.ecr.aws/lambda/nodejs:22 |
public.ecr.aws/lambda/nodejs@sha256:14e36a4a5253050c9aa85a9647579818e7354669107c67af8575a15396fb8c4d |
public.ecr.aws/lambda/nodejs:20 |
public.ecr.aws/lambda/nodejs@sha256:b240103d428d50a293f24d428548f55a556b7763f944998ce94e32d230ddbaa8 |
Description
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Remediation Steps
- Update the affected package
tar from version 6.2.1 to 7.5.7.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
