Description
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Published: 2026-01-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file overwrite via symlink poisoning
Action: Apply Patch
AI Analysis

Impact

A race condition exists in the path reservation system of node-tar that allows Unicode path collisions on case-insensitive, normalization-insensitive file systems such as macOS APFS. Because colliding names such as the German ß and the letters ss are treated as equivalent on such file systems, concurrent extraction of malicious entries bypasses the library’s internal locks and enables an attacker to create or overwrite arbitrary files. If the attacker succeeds, they could place a malicious executable in a location that the application later reads, potentially leading to integrity violations and possibly allowing arbitrary code execution depending on the application’s execution context.

Affected Systems

The vulnerability affects Isaac’s node-tar library (used in Node.js) versions up through 7.5.3 when run on macOS operating systems that use APFS or HFS+ file systems. Users who extract tarballs with this library on those platforms are at risk.

Risk and Exploitability

A CVSS v3 score of 8.8 indicates high severity. The EPSS score is below 1 %, showing a very low but non‑zero exploitation probability, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. The primary attack vector is the processing of a malicious tar archive by a system that uses node-tar for extraction, either locally or via a remote service that performs extraction on behalf of users. Successful exploitation requires that the target file system is case‑insensitive and normalizing‑insensitive; only then do the path collisions occur.

Generated by OpenCVE AI on April 18, 2026 at 19:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade node-tar to version 7.5.4 or later, which updates path-reservations.js to normalize paths in a manner consistent with macOS file systems.
  • If an immediate upgrade is not possible, filter out all SymbolicLink entries from any tarball before extraction, as recommended by the vendor interim workaround.
  • Implement extraction sandboxing or run the extraction process under a non‑privileged user account to limit the potential damage of an arbitrary file overwrite.

Generated by OpenCVE AI on April 18, 2026 at 19:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r6q2-hw4h-h46w Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
History

Wed, 18 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:*

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Isaacs
Isaacs tar
Vendors & Products Isaacs
Isaacs tar

Tue, 20 Jan 2026 01:15:00 +0000

Type Values Removed Values Added
Description node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Title node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS
Weaknesses CWE-176
CWE-352
CWE-367
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L'}

Subscriptions

Isaacs Tar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-21T20:15:57.278Z

Reserved: 2026-01-19T14:49:06.312Z

Link: CVE-2026-23950

cve-icon Vulnrichment

Updated: 2026-01-21T20:15:38.325Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T01:15:57.870

Modified: 2026-02-18T15:50:29.910

Link: CVE-2026-23950

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-20T00:40:48Z

Links: CVE-2026-23950 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses