Medium severityOSV Advisory· Published Oct 30, 2025· Updated Apr 15, 2026
CVE-2025-64118
CVE-2025-64118
Description
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarnpm | >= 7.5.1, < 7.5.2 | 7.5.2 |
Affected products
12- osv-coords11 versionspkg:apk/chainguard/actions-runnerpkg:apk/chainguard/actions-runner-compatpkg:apk/chainguard/node-gyppkg:apk/chainguard/npmpkg:apk/chainguard/npm-docpkg:apk/chainguard/renovatepkg:apk/wolfi/node-gyppkg:apk/wolfi/npmpkg:apk/wolfi/npm-docpkg:apk/wolfi/renovatepkg:npm/tar
< 0+ 10 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 12.0.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 41.169.3-r0
- (no CPE)range: < 12.0.0-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 41.169.3-r0
- (no CPE)range: >= 7.5.1, < 7.5.2
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-29xp-372q-xqphghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-64118ghsaADVISORY
- github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224dnvdWEB
- github.com/isaacs/node-tar/commit/5e1a8e638600d3c3a2969b4de6a6ec44fa8d74c9ghsaWEB
- github.com/isaacs/node-tar/issues/445nvdWEB
- github.com/isaacs/node-tar/pull/446nvdWEB
- github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqphnvdWEB
News mentions
0No linked articles in our index yet.