anonhaven
Ad

CVE-2025-64118

MEDIUM CVSS 4.0: 6.1 EPSS 0.00%
Updated Oct 30, 2025
Isaacs
Parameter Value
CVSS 6.1 (MEDIUM)
Fixed In 7.5.2
Type CWE-362 (Race Condition), CWE-367 (Time-of-check Time-of-use (TOCTOU))
Vendor Isaacs
Public PoC No

node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

Attack Parameters

Attack Vector
Local
Requires local access
Attack Complexity
High
Difficult to exploit
Attack Requirements
Present
Additional conditions required
Privileges Required
Low
Basic privileges needed
User Interaction
Passive
Minimal interaction

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
Low
Partial data modification
Availability
Low
Partial disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-362 Race Condition
CWE-367 Time-of-check Time-of-use (TOCTOU)

Vulnerable Products

isaacs:node-tar

References 4

https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d452…
security-advisories@github.com
https://github.com/isaacs/node-tar/issues/445
security-advisories@github.com
https://github.com/isaacs/node-tar/pull/446
security-advisories@github.com
https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-31802

Isaacs

8.2

CVE-2026-26960

Isaacs

7.1

CVE-2026-23745

Isaacs

8.2

CVE-2025-64756

Isaacs

7.5