Vulnerability in Isaacs Node-tar
CVE-2025-64118
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fi…
Vulnerability class: Race Condition
EPSS: 0.000 (0.3th percentile) — read the EPSS interpretation.
Affected products
- Isaacs Node-tar — versions = 7.5.1
Weakness classification (CWE)
References
- https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph (x_refsource_CONFIRM)
- https://github.com/isaacs/node-tar/issues/445 (x_refsource_MISC)
- https://github.com/isaacs/node-tar/pull/446 (x_refsource_MISC)
- https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d (x_refsource_MISC)