node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS
Description
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the path-reservations system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., ß and ss), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a PathReservations system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using NFD Unicode normalization (in which ß and ss are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which ß causes an inode collision with ss)). This enables an attacker to circumvent internal parallelization locks (PathReservations) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates path-reservations.js to use a normalization form that matches the target filesystem's behavior (e.g., NFKD), followed by first toLocaleLowerCase('en') and then toLocaleUpperCase('en'). As a workaround, users who cannot upgrade promptly, and who are programmatically using node-tar to extract arbitrary tarball data should filter out all SymbolicLink entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarnpm | < 7.5.4 | 7.5.4 |
Affected products
60- osv-coords59 versionspkg:apk/chainguard/actions-runnerpkg:apk/chainguard/code-serverpkg:apk/chainguard/graalvm-25-ce-nodejspkg:apk/chainguard/kibana-8.17pkg:apk/chainguard/kibana-8.17-iamguardedpkg:apk/chainguard/kibana-8.18pkg:apk/chainguard/kibana-8.18-iamguardedpkg:apk/chainguard/kibana-8.19pkg:apk/chainguard/kibana-8.19-iamguardedpkg:apk/chainguard/kibana-9.0pkg:apk/chainguard/kibana-9.0-bitnamipkg:apk/chainguard/kibana-9.0-iamguardedpkg:apk/chainguard/kibana-9.1pkg:apk/chainguard/kibana-9.1-iamguardedpkg:apk/chainguard/kibana-9.2pkg:apk/chainguard/kibana-9.2-iamguardedpkg:apk/chainguard/kubeflow-centraldashboardpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/lernapkg:apk/chainguard/node-gyppkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-3pkg:apk/chainguard/opensearch-dashboards-3-fipspkg:apk/chainguard/prismpkg:apk/chainguard/pulumi-language-nodejspkg:apk/chainguard/redisinsightpkg:apk/chainguard/renovatepkg:apk/chainguard/safpkg:apk/chainguard/sqlpadpkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/vitess-22pkg:apk/chainguard/vitess-23pkg:apk/chainguard/wazuh-dashboardpkg:apk/chainguard/wazuh-dashboard-fipspkg:apk/wolfi/code-serverpkg:apk/wolfi/kubeflow-centraldashboardpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/lernapkg:apk/wolfi/node-gyppkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-3pkg:apk/wolfi/prismpkg:apk/wolfi/pulumi-language-nodejspkg:apk/wolfi/renovatepkg:apk/wolfi/safpkg:apk/wolfi/sqlpadpkg:apk/wolfi/tileserver-glpkg:apk/wolfi/vitess-22pkg:apk/wolfi/vitess-23pkg:npm/tarpkg:rpm/almalinux/sgx-commonpkg:rpm/almalinux/sgx-libspkg:rpm/almalinux/sgx-mpapkg:rpm/almalinux/sgx-pccspkg:rpm/almalinux/sgx-pccs-adminpkg:rpm/almalinux/sgx-pckid-toolpkg:rpm/almalinux/tdx-qgs
< 2.331.0-r1+ 58 more
- (no CPE)range: < 2.331.0-r1
- (no CPE)range: < 4.106.3-r4
- (no CPE)range: < 25.0.2-r1
- (no CPE)range: < 8.17.10-r8
- (no CPE)range: < 8.17.10-r8
- (no CPE)range: < 8.18.8-r8
- (no CPE)range: < 8.18.8-r8
- (no CPE)range: < 8.19.10-r2
- (no CPE)range: < 8.19.10-r2
- (no CPE)range: < 9.0.8-r8
- (no CPE)range: < 9.0.8-r8
- (no CPE)range: < 9.0.8-r8
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.2.3-r5
- (no CPE)range: < 9.2.3-r5
- (no CPE)range: < 1.10.0-r10
- (no CPE)range: < 2.15.0-r12
- (no CPE)range: < 9.0.4-r0
- (no CPE)range: < 12.2.0-r0
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 2.19.5-r0
- (no CPE)range: < 3.5.0-r0
- (no CPE)range: < 3.5.0-r0
- (no CPE)range: < 5.14.3-r5
- (no CPE)range: < 3.215.0-r1
- (no CPE)range: < 3.0.2-r1
- (no CPE)range: < 43.2.4-r0
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r6
- (no CPE)range: < 5.5.0-r2
- (no CPE)range: < 5.5.0-r3
- (no CPE)range: < 22.0.3-r0
- (no CPE)range: < 23.0.1-r0
- (no CPE)range: < 4.14.5-r0
- (no CPE)range: < 4.14.5-r0
- (no CPE)range: < 4.106.3-r4
- (no CPE)range: < 1.10.0-r10
- (no CPE)range: < 2.15.0-r12
- (no CPE)range: < 9.0.4-r0
- (no CPE)range: < 12.2.0-r0
- (no CPE)range: < 2.19.4-r15
- (no CPE)range: < 3.5.0-r0
- (no CPE)range: < 5.14.3-r5
- (no CPE)range: < 3.215.0-r1
- (no CPE)range: < 43.2.4-r0
- (no CPE)range: < 1.6.0-r0
- (no CPE)range: < 7.5.7-r6
- (no CPE)range: < 5.5.0-r2
- (no CPE)range: < 22.0.3-r0
- (no CPE)range: < 23.0.1-r0
- (no CPE)range: < 7.5.4
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
- (no CPE)range: < 2.26-7.el10
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-r6q2-hw4h-h46wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23950ghsaADVISORY
- github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6ghsax_refsource_MISCWEB
- github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46wghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.