CVE-2025-64118

node-tar vulnerable to race condition leading to uninitialized memory exposure

Description

node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

INFO

Published Date :

2025-10-30T17:50:20.421Z

Last Modified :

2025-10-30T18:42:19.663Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-64118 vulnerability.

Vendors	Products
Node-tar Project	Node-tar

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-64118.

URL	Resource
https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d
https://github.com/isaacs/node-tar/issues/445
https://github.com/isaacs/node-tar/pull/446
https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability