CVE-2026-23950 — Improper Handling of Unicode Encoding in Node-tar
Severity
5.9MEDIUMNVD
CNA8.8
EPSS
0.0%
top 99.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJan 20
Latest updateJan 21
Description
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6
Affected Packages4 packages
Patches
🔴Vulnerability Details
4OSV▶
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS↗2026-01-21
GHSA▶
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS↗2026-01-21
CVEList▶
node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS↗2026-01-20
📋Vendor Advisories
2🕵️Threat Intelligence
1💬Community
1Bugzilla▶
CVE-2026-23950 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition↗2026-01-20