CVE-2025-64118Race Condition in Node-tar

CWE-362Race ConditionCWE-367Time-of-check Time-of-use (TOCTOU) Race Condition7 documents6 sources
Severity
6.1MEDIUMNVD
EPSS
0.0%
top 99.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
GNU TARIsaacs Node-tar
Timeline
PublishedOct 30

Description

node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H

Affected Packages2 packages

CVEListV5isaacs/node-tar= 7.5.1
npmgnu/tar7.5.17.5.2

🔴Vulnerability Details

4
CVEList
node-tar vulnerable to race condition leading to uninitialized memory exposure2025-10-30
OSV
node-tar has a race condition leading to uninitialized memory exposure2025-10-30
GHSA
node-tar has a race condition leading to uninitialized memory exposure2025-10-30
OSV
CVE-2025-64118: node-tar is a Tar for Node2025-10-30

📋Vendor Advisories

2
Red Hat
node-tar: tar: node-tar: Information disclosure via reading a truncated tar file2025-10-30
Debian
CVE-2025-64118: node-tar - node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true ...2025
CVE-2025-64118 — Race Condition in Isaacs Node-tar | cvebase