CVE-2025-64118
published 2025-10-30CVE-2025-64118: node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file…
PriorityP422medium6.1CVSS 4.0
AVLACHATPPRLUIPVCHVILVALSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.13%
2.8th percentile
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar | — | — |
| gnu | tar | >= 7.5.1 < 7.5.2 | 7.5.2 |
| isaacs | node-tar | — | — |
CVSS provenance
nvdv4.06.1MEDIUMCVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.1MEDIUM
vendor_debian6.1LOW
vendor_redhat6.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
node-tar: tar: node-tar: Information disclosure via reading a truncated tar file
vendor_redhat·2025-10-30·CVSS 6.1
CVE-2025-64118 [MEDIUM] CWE-367 node-tar: tar: node-tar: Information disclosure via reading a truncated tar file
node-tar: tar: node-tar: Information disclosure via reading a truncated tar file
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
A flaw was found in node-tar, a Tar utility for Node.js. This vulnerability allows a local attacker to potentially disclose sensitive information. When the .t (or .list) function is used with { sync: true } to read tar entry contents, and the tar file is concurrently modified on disk to a smaller size, the function may return uninitialized memory contents. This could lead to the exposure of arbitrary data.
Statement: This vulnerability is rated Moderate for R
Debian
CVE-2025-64118: node-tar - node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true ...
vendor_debian·2025·CVSS 6.1
CVE-2025-64118 [MEDIUM] CVE-2025-64118: node-tar - node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true ...
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
OSV
node-tar has a race condition leading to uninitialized memory exposure
osv·2025-10-30
CVE-2025-64118 [MEDIUM] node-tar has a race condition leading to uninitialized memory exposure
node-tar has a race condition leading to uninitialized memory exposure
### Summary
Using `.t` (aka `.list`) with `{ sync: true }` to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read.
### Details
See:
* https://github.com/isaacs/node-tar/issues/445
* https://github.com/isaacs/node-tar/pull/446
* Regression happened in https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d
### PoC
A:
```js
import * as tar from 'tar'
import fs from 'node:fs'
fs.writeFileSync('tar.test.tmp', Buffer.alloc(1*1024))
// from readme
const filesAdded = []
tar.c(
{
sync: true,
file: 'tar.test.tmp.tar',
onWriteEntry(entry) {
// initially, it's uppercase and 0o644
console.log('adding', entry.path, entry.s
GHSA
node-tar has a race condition leading to uninitialized memory exposure
ghsa·2025-10-30
CVE-2025-64118 [MEDIUM] CWE-362 node-tar has a race condition leading to uninitialized memory exposure
node-tar has a race condition leading to uninitialized memory exposure
### Summary
Using `.t` (aka `.list`) with `{ sync: true }` to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read.
### Details
See:
* https://github.com/isaacs/node-tar/issues/445
* https://github.com/isaacs/node-tar/pull/446
* Regression happened in https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d
### PoC
A:
```js
import * as tar from 'tar'
import fs from 'node:fs'
fs.writeFileSync('tar.test.tmp', Buffer.alloc(1*1024))
// from readme
const filesAdded = []
tar.c(
{
sync: true,
file: 'tar.test.tmp.tar',
onWriteEntry(entry) {
// initially, it's uppercase and 0o644
console.log('adding', entry.path, entry.s
OSV
CVE-2025-64118: node-tar is a Tar for Node
osv·2025-10-30·CVSS 6.1
CVE-2025-64118 [MEDIUM] CVE-2025-64118: node-tar is a Tar for Node
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-64118 openvino: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
bugzilla·2026-01-20·CVSS 6.1
CVE-2025-64118 [MEDIUM] CVE-2025-64118 openvino: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
CVE-2025-64118 openvino: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained ver
Bugzilla
CVE-2025-64118 kf6-breeze-icons: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
bugzilla·2026-01-20·CVSS 6.1
CVE-2025-64118 [MEDIUM] CVE-2025-64118 kf6-breeze-icons: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
CVE-2025-64118 kf6-breeze-icons: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently mainta
Bugzilla
CVE-2025-64118 onnxruntime: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
bugzilla·2026-01-20·CVSS 6.1
CVE-2025-64118 [MEDIUM] CVE-2025-64118 onnxruntime: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
CVE-2025-64118 onnxruntime: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained
Bugzilla
CVE-2025-64118 tar: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
bugzilla·2026-01-20·CVSS 6.1
CVE-2025-64118 [MEDIUM] CVE-2025-64118 tar: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
CVE-2025-64118 tar: node-tar: Information disclosure via reading a truncated tar file [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version,
2025-10-30
Published