Description
node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
Published: 2026-06-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Node-tar misapplies a PAX extended header’s size record to intermediate GNU long-name (L) or long-link (K) entries, violating the POSIX rule that a PAX header describes only the following file. This misinterpretation desynchronizes the stream cursor, so the same packed archive can list a different set of members when parsed by node-tar versus standard tools such as GNU tar or libarchive. An attacker can craft an archive that hides sensitive or malicious files from one parser while exposing them to another, undermining scanners or extractors that expect consistent listings. The flaw is classified as CWE-115 and CWE-436.

Affected Systems

The vulnerability affects the isaacs node-tar package for Node.js. All releases older than 7.5.16 are impacted. Any Node.js application that imports node-tar to process tar archives is potentially exposed, including web services, build pipelines, or any tool that extracts or scans tar files.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS is below 1 %, suggesting a very low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalogue. However, an attacker can deliver a specially crafted archive to any vulnerable service or script that loads node-tar, causing the archive contents to be interpreted differently by that library compared to trusted tar tools. Because the attack requires only the use of existing library code and no additional privileges, the attack vector is straightforward, though the impact is limited to an environment that uses node-tar for archive handling.

Generated by OpenCVE AI on July 12, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the node-tar library to version 7.5.16 or later to apply the fix.
  • If an upgrade is not possible, validate the archive with a reference tar implementation (e.g., GNU tar or libarchive) before passing it to node-tar or reject archives that contain PAX size overrides on intermediary headers.
  • Where feasible, replace node-tar with an alternative library that correctly follows POSIX PAX semantics, such as tar-rs or astral-tokio-tar, or apply linting to the tar stream to enforce correct header order.

Generated by OpenCVE AI on July 12, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vmf3-w455-68vh node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
History

Fri, 10 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-115
References
Metrics threat_severity

None

cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N'}

threat_severity

Moderate


Wed, 24 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Isaacs
Isaacs tar
Vendors & Products Isaacs
Isaacs tar

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
Title node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
Weaknesses CWE-436
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:09:06.835Z

Reserved: 2026-06-09T20:50:36.876Z

Link: CVE-2026-53655

cve-icon Vulnrichment

Updated: 2026-06-23T14:15:27.771Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-22T14:55:50Z

Links: CVE-2026-53655 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-12T21:30:16Z

Weaknesses