Skip to content

CVE-2026-24842 node-tar: Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal#648

Open
sbouchet wants to merge 3 commits intoche-incubator:mainfrom
sbouchet:CVE-2026-24842
Open

CVE-2026-24842 node-tar: Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal#648
sbouchet wants to merge 3 commits intoche-incubator:mainfrom
sbouchet:CVE-2026-24842

Conversation

@sbouchet
Copy link
Collaborator

@sbouchet sbouchet commented Feb 4, 2026
edited
Loading

What does this PR do?

This PR fixes GHSA-34x7-hfp2-rc4v : Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal.
tar version is updated to 7.5.7

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-10039

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

@github-actions
Copy link

github-actions bot commented Feb 4, 2026
edited
Loading

Click here to review and test in web IDE: Contribute

@sbouchet
CVE-2026-24842 node-tar: Vulnerable to Arbitrary File Creation/Overwrite
4262a4d 
via Hardlink Path Traversal

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@github-actions
Copy link

github-actions bot commented Feb 4, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

1 similar comment
@github-actions
Copy link

github-actions bot commented Feb 4, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

@sbouchet
added rebase rules
3ff4416 
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet
added rebase rules
138f824 
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@github-actions
Copy link

github-actions bot commented Feb 4, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

1 similar comment
@github-actions
Copy link

github-actions bot commented Feb 4, 2026

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-648-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-648-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-648-dev-amd64

@sbouchet sbouchet marked this pull request as ready for review February 5, 2026 13:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rgrunber rgrunber Awaiting requested review from rgrunber rgrunber is a code owner

@azatsarynnyy azatsarynnyy Awaiting requested review from azatsarynnyy azatsarynnyy is a code owner

@RomanNikitenko RomanNikitenko Awaiting requested review from RomanNikitenko RomanNikitenko is a code owner

@vitaliy-guliy vitaliy-guliy Awaiting requested review from vitaliy-guliy vitaliy-guliy is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sbouchet