Impact
Node-tar misapplies a PAX extended header’s size record to intermediate GNU long-name (L) or long-link (K) entries, violating the POSIX rule that a PAX header describes only the following file. This misinterpretation desynchronizes the stream cursor, so the same packed archive can list a different set of members when parsed by node-tar versus standard tools such as GNU tar or libarchive. An attacker can craft an archive that hides sensitive or malicious files from one parser while exposing them to another, undermining scanners or extractors that expect consistent listings. The flaw is classified as CWE-115 and CWE-436.
Affected Systems
The vulnerability affects the isaacs node-tar package for Node.js. All releases older than 7.5.16 are impacted. Any Node.js application that imports node-tar to process tar archives is potentially exposed, including web services, build pipelines, or any tool that extracts or scans tar files.
Risk and Exploitability
The CVSS score of 6.9 indicates moderate severity. The EPSS is below 1 %, suggesting a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalogue. However, an attacker can deliver a specially crafted archive to any vulnerable service or script that loads node-tar, causing the archive contents to be interpreted differently by that library compared to trusted tar tools. Because the attack requires only the use of existing library code and no additional privileges, the attack vector is straightforward, though the impact is limited to an environment that uses node-tar for archive handling.
OpenCVE Enrichment
Github GHSA