CVE-2026-23950
published 2026-01-20CVE-2026-23950: node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path…
PriorityP336medium5.9CVSS 3.1
AVNACHPRNUINSUCNIHAN
EPSS
0.23%
14.1th percentile
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar | < node-tar 6.2.1+ds1+~cs6.1.13-7 (forky) | node-tar 6.2.1+ds1+~cs6.1.13-7 (forky) |
| gnu | tar | >= 0 < 7.5.4 | 7.5.4 |
| isaacs | node-tar | < 7.5.4 | 7.5.4 |
| isaacs | node-tar | >= 0 < 6.2.1+ds1+~cs6.1.13-7 | 6.2.1+ds1+~cs6.1.13-7 |
| isaacs | tar | < 7.5.4 | 7.5.4 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
osv5.9MEDIUM
vendor_debian8.8LOW
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
vendor_redhat·2026-01-20·CVSS 8.8
CVE-2026-23950 [HIGH] CWE-367 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where o
Debian
CVE-2026-23950: node-tar - node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to...
vendor_debian·2026·CVSS 8.8
CVE-2026-23950 [HIGH] CVE-2026-23950: node-tar - node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to...
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary
OSV
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
osv·2026-01-21
CVE-2026-23950 [HIGH] Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
**TITLE**: Race Condition in node-tar Path Reservations via Unicode Sharp-S (ß) Collisions on macOS APFS
**AUTHOR**: Tomás Illuminati
### Details
A race condition vulnerability exists in `node-tar` (v7.5.3) this is to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that meta
GHSA
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
ghsa·2026-01-21
CVE-2026-23950 [HIGH] CWE-176 Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
**TITLE**: Race Condition in node-tar Path Reservations via Unicode Sharp-S (ß) Collisions on macOS APFS
**AUTHOR**: Tomás Illuminati
### Details
A race condition vulnerability exists in `node-tar` (v7.5.3) this is to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that meta
OSV
CVE-2026-23950: node-tar,a Tar for Node
osv·2026-01-20·CVSS 5.9
CVE-2026-23950 [MEDIUM] CVE-2026-23950: node-tar,a Tar for Node
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-23950 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-23950 [HIGH] CVE-2026-23950 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23950 :
JavaScript vulnerability analysis and mitigation
path-reservations
ß
ss
PathReservations
NFD
ß
ss
ß
ss
PathReservations
path-reservations.js
NFKD
toLocaleLowerCase('en')
toLocaleUpperCase('en')
node-tar
SymbolicLink
Source : NVD
## 5.9
Score
Published January 20, 2026
Severity MEDIUM
CNA Score 8.8
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nodejs:24::nodejs-devel
argo-workflows-fips-3.7
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: F
Bugzilla
CVE-2026-23745 CVE-2026-23950 onnxruntime: various flaws [fedora-42]
bugzilla·2026-01-20·CVSS 8.2
CVE-2026-23745 [HIGH] CVE-2026-23745 CVE-2026-23950 onnxruntime: various flaws [fedora-42]
CVE-2026-23745 CVE-2026-23950 onnxruntime: various flaws [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version'
to a la
Bugzilla
CVE-2026-23950 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
bugzilla·2026-01-20·CVSS 5.9
CVE-2026-23950 [MEDIUM] CVE-2026-23950 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
CVE-2026-23950 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race con
Bugzilla
CVE-2026-23745 CVE-2026-23950 tar: various flaws [fedora-42]
bugzilla·2026-01-20·CVSS 8.2
CVE-2026-23745 [HIGH] CVE-2026-23745 CVE-2026-23950 tar: various flaws [fedora-42]
CVE-2026-23745 CVE-2026-23950 tar: various flaws [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version'
to a later Fedo
Bugzilla
CVE-2026-23745 CVE-2026-23950 openvino: various flaws [fedora-42]
bugzilla·2026-01-20·CVSS 8.2
CVE-2026-23745 [HIGH] CVE-2026-23745 CVE-2026-23950 openvino: various flaws [fedora-42]
CVE-2026-23745 CVE-2026-23950 openvino: various flaws [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version'
to a later
Bugzilla
CVE-2026-23745 CVE-2026-23950 kf6-breeze-icons: various flaws [fedora-42]
bugzilla·2026-01-20·CVSS 8.2
CVE-2026-23745 [HIGH] CVE-2026-23745 CVE-2026-23950 kf6-breeze-icons: various flaws [fedora-42]
CVE-2026-23745 CVE-2026-23950 kf6-breeze-icons: various flaws [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version'
to
https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46whttps://access.redhat.com/errata/RHSA-2026:18480https://access.redhat.com/errata/RHSA-2026:18868https://access.redhat.com/errata/RHSA-2026:2144https://access.redhat.com/errata/RHSA-2026:2926https://access.redhat.com/errata/RHSA-2026:6192https://access.redhat.com/security/cve/CVE-2026-23950https://bugzilla.redhat.com/show_bug.cgi?id=2431036https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-23950.json
2026-01-20
Published