CVE-2026-53655
published 2026-06-22CVE-2026-53655: node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next…
PriorityP423medium5.5CVSS 3.1
AVLACLPRNUIRSUCNIHAN
EPSS
0.11%
1.4th percentile
node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gnu | tar | >= 0 < 7.5.16 | 7.5.16 |
| isaacs | node-tar | < 7.5.16 | 7.5.16 |
| isaacs | tar | < 7.5.16 | 7.5.16 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
isaacs node-tar up to 7.5.15 Intermediary Extension interpretation conflict
vuldb·2026-06-22·CVSS 6.9
CVE-2026-53655 [MEDIUM] isaacs node-tar up to 7.5.15 Intermediary Extension interpretation conflict
A vulnerability was found in isaacs node-tar up to 7.5.15. It has been classified as problematic. Affected by this vulnerability is an unknown functionality of the component Intermediary Extension. The manipulation leads to interpretation conflict.
This vulnerability is listed as CVE-2026-53655. The attack must be carried out locally. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
ghsa·2026-06-15
CVE-2026-53655 [MEDIUM] CWE-436 node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
### Summary
`tar` (node-tar) applies a PAX extended header's `size=` record (and other PAX
overrides) to the **next header entry of any type**, including intermediary
metadata headers such as a GNU long-name (`L`) or long-link (`K`) entry. Per
POSIX pax, a PAX extended header (`x`) describes the *next file entry*, not the
intermediary extension headers that may sit between the `x` header and the file
it annotates. Because node-tar lets the PAX `size` override the byte length of
an intervening `L`/`K`/`x` header, an attacker can desynchronize node-tar's
stream cursor relative to every other mainstream tar implementation
(GNU tar, libarchive/bs
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-22
Published