VYPR
Get started
← All advisories
High severityOSV Advisory· Published Jan 20, 2026· Updated Jan 21, 2026

node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS

CVE-2026-23950

Description

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the path-reservations system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., ß and ss), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a PathReservations system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using NFD Unicode normalization (in which ß and ss are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which ß causes an inode collision with ss)). This enables an attacker to circumvent internal parallelization locks (PathReservations) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates path-reservations.js to use a normalization form that matches the target filesystem's behavior (e.g., NFKD), followed by first toLocaleLowerCase('en') and then toLocaleUpperCase('en'). As a workaround, users who cannot upgrade promptly, and who are programmatically using node-tar to extract arbitrary tarball data should filter out all SymbolicLink entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tarnpm
< 7.5.47.5.4

Affected products

1

Patches

1
3b1abfae6500

normalize out unicode ligatures

https://github.com/isaacs/node-tarisaacsJan 19, 2026via ghsa
commit
6 files changed · +88 12
  • src/normalize-unicode.ts+5 1 modified
    @@ -9,7 +9,11 @@ const MAX = 10000
 const cache = new Set<string>()
 export const normalizeUnicode = (s: string): string => {
   if (!cache.has(s)) {
-    normalizeCache[s] = s.normalize('NFD')
+    // shake out identical accents and ligatures
+    normalizeCache[s] = s
+      .normalize('NFD')
+      .toLocaleLowerCase('en')
+      .toLocaleUpperCase('en')
   } else {
     cache.delete(s)
   }
  • src/path-reservations.ts+1 3 modified
    @@ -56,9 +56,7 @@ export class PathReservations {
         ['win32 parallelization disabled']
       : paths.map(p => {
           // don't need normPath, because we skip this entirely for windows
-          return stripTrailingSlashes(
-            join(normalizeUnicode(p)),
-          ).toLowerCase()
+          return stripTrailingSlashes(join(normalizeUnicode(p)))
         })
 
     const dirs = new Set<string>(
  • tap-snapshots/test/normalize-unicode.js-win32.test.cjs+6 6 modified
    @@ -6,25 +6,25 @@
  */
 'use strict'
 exports[`test/normalize-unicode.js win32 > TAP > normalize with strip slashes > "\\\\\eee\\\\\\" > normalized 1`] = `
-\\\\\eee\\\\\\
+\\\\\EEE\\\\\\
 `
 
 exports[`test/normalize-unicode.js win32 > TAP > normalize with strip slashes > "\\\\a\\\\b\\\\c\\\\d\\\\" > normalized 1`] = `
-/a/b/c/d
+/A/B/C/D
 `
 
 exports[`test/normalize-unicode.js win32 > TAP > normalize with strip slashes > "﹨aaaa﹨dddd﹨" > normalized 1`] = `
-﹨aaaa﹨dddd﹨
+﹨AAAA﹨DDDD﹨
 `
 
 exports[`test/normalize-unicode.js win32 > TAP > normalize with strip slashes > "\bbb\eee\" > normalized 1`] = `
-\bbb\eee\
+\BBB\EEE\
 `
 
 exports[`test/normalize-unicode.js win32 > TAP > normalize with strip slashes > "1/4foo.txt" > normalized 1`] = `
-1/4foo.txt
+1/4FOO.TXT
 `
 
 exports[`test/normalize-unicode.js win32 > TAP > normalize with strip slashes > "¼foo.txt" > normalized 1`] = `
-¼foo.txt
+¼FOO.TXT
 `
  • test/ghsa-8qq5-rm4j-mr97.ts+4 1 modified
    @@ -42,7 +42,10 @@ t.test('verify that linkpaths get sanitized properly', async t => {
   })
 
   writeFileSync(resolve(out, 'exploit_hard'), 'OVERWRITTEN')
-  t.equal(readFileSync(resolve(dir, 'secret.txt'), 'utf8'), 'ORIGINAL DATA')
+  t.equal(
+    readFileSync(resolve(dir, 'secret.txt'), 'utf8'),
+    'ORIGINAL DATA',
+  )
 
   t.not(readlinkSync(resolve(out, 'exploit_sym')), targetSym)
 })
  • test/ghsa-r6q2-hw4h-h46w.ts+71 0 added
    @@ -0,0 +1,71 @@
+import t from 'tap'
+import { normalizeUnicode } from '../src/normalize-unicode.js'
+import { Header } from '../src/header.js'
+import { extract } from '../src/extract.js'
+import { resolve } from 'node:path'
+import { lstatSync, readFileSync, statSync } from 'node:fs'
+
+// these characters are problems on macOS's APFS
+const chars = {
+  ['ff'.normalize('NFC')]: 'FF',
+  ['fi'.normalize('NFC')]: 'FI',
+  ['fl'.normalize('NFC')]: 'FL',
+  ['ffi'.normalize('NFC')]: 'FFI',
+  ['ffl'.normalize('NFC')]: 'FFL',
+  ['ſt'.normalize('NFC')]: 'ST',
+  ['st'.normalize('NFC')]: 'ST',
+  ['ẛ'.normalize('NFC')]: 'Ṡ',
+  ['ß'.normalize('NFC')]: 'SS',
+  ['ẞ'.normalize('NFC')]: 'SS',
+  ['ſ'.normalize('NFC')]: 'S',
+}
+
+for (const [c, n] of Object.entries(chars)) {
+  t.test(`${c} => ${n}`, async t => {
+    t.equal(normalizeUnicode(c), n)
+
+    t.test('link then file', async t => {
+      const tarball = Buffer.alloc(2048)
+      new Header({
+        path: c,
+        type: 'SymbolicLink',
+        linkpath: './target',
+      }).encode(tarball, 0)
+      new Header({
+        path: n,
+        type: 'File',
+        size: 1,
+      }).encode(tarball, 512)
+      tarball[1024] = 'x'.charCodeAt(0)
+
+      const cwd = t.testdir({ tarball })
+
+      await extract({ cwd, file: resolve(cwd, 'tarball') })
+
+      t.throws(() => statSync(resolve(cwd, 'target')))
+      t.equal(readFileSync(resolve(cwd, n), 'utf8'), 'x')
+    })
+
+    t.test('file then link', { saveFixture: true }, async t => {
+      const tarball = Buffer.alloc(2048)
+      new Header({
+        path: n,
+        type: 'File',
+        size: 1,
+      }).encode(tarball, 0)
+      tarball[512] = 'x'.charCodeAt(0)
+      new Header({
+        path: c,
+        type: 'SymbolicLink',
+        linkpath: './target',
+      }).encode(tarball, 1024)
+
+      const cwd = t.testdir({ tarball })
+
+      await extract({ cwd, file: resolve(cwd, 'tarball') })
+
+      t.throws(() => statSync(resolve(cwd, 'target')))
+      t.equal(lstatSync(resolve(cwd, c)).isSymbolicLink(), true)
+    })
+  })
+}
  • test/normalize-unicode.js+1 1 modified
    @@ -21,7 +21,7 @@ t.equal(
   'matching unicodes',
 )
 t.equal(normalizeUnicode(cafe1), normalizeUnicode(cafe2), 'cached')
-t.equal(normalizeUnicode('foo'), 'foo', 'non-unicode string')
+t.equal(normalizeUnicode('foo'), 'FOO', 'non-unicode string')
 
 if (fakePlatform === 'win32') {
   t.test('normalize with strip slashes', t => {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.