VSA-2026-004: Node-Tar
| Published | Updated | Severity | CVSS 4.0 | Affected products |
|---|---|---|---|---|
| 2026-01-29 | 2026-01-29 | 🟢 Low | Not available yet | - Xen Orchestra |
A vulnerability on the "node-tar" dependency has been discovered. For Vates products, we classify the impact as Low, as the vulnerability require an access to Xen Orchestra. For details on how we assign severity levels, see our Severity Levels Explained page.
Summary​
node-tar is a Tar dependency for Node.js. The node-tar library fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior).
Impact​
This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets.
Affected Versions​
- Xen Orchestra: Affected.
Mitigation​
We do not provide mitigation for this vulnerability. But we recommend that in production access to Xen Orchestra remains limited to authorized persons only.
Resolution​
Starting with version 6.2, all dependencies have been updated in the official Xen Orchestra GitHub repository. Users are protected moving forward.
Credits​
This issue was reported by Joshua van Rijswijk.