Description
node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
Published: 2026-06-22
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Node-tar desynchronizes its tar stream cursor when a PAX size override is applied to intermediary GNU long-name (L) or long-link (K) headers, contrary to POSIX PMP. This flaw causes a single crafted archive to produce different member listings for node-tar compared to standard tar implementations, allowing an attacker to hide files from one parser while revealing them to another, undermining scanners that rely on consistent archive contents. The weakness is classified as deparse mitigation failure (CWE‑436).

Affected Systems

The vulnerability affects the isaacs node-tar package of Node.js for all versions older than 7.5.16. Any Node.js application importing this library and processing tar archives is potentially exposed.

Risk and Exploitability

With a CVSS score of 6.9 the flaw is considered moderate in severity. The EPSS score is not available, but the lack of a CISA KEV listing suggests limited known exploitation at the time of analysis. The attack vector is the delivery of a specially crafted tar archive to the vulnerable library, which could be executed via any Node.js service that opens tar files, making the risk significant for web applications or automated extraction tools.

Generated by OpenCVE AI on June 22, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade node-tar to version 7.5.16 or newer.
  • When possible, validate the archive using a reference tar implementation before processing with node-tar.
  • If an upgrade is not immediately feasible, replace node-tar with a trustworthy alternative library or configure the application to reject archives containing PAX size overrides on intermediary headers.

Generated by OpenCVE AI on June 22, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vmf3-w455-68vh node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
History

Mon, 22 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
Title node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
Weaknesses CWE-436
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T14:55:50.133Z

Reserved: 2026-06-09T20:50:36.876Z

Link: CVE-2026-53655

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T16:30:08Z

Weaknesses