Vulnerability Description
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
Related Weaknesses (CWE)
References
- https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d4522
- https://github.com/isaacs/node-tar/issues/445
- https://github.com/isaacs/node-tar/pull/446
- https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph
FAQ
What is CVE-2025-64118?
CVE-2025-64118 is a documented vulnerability. node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size whi...
How severe is CVE-2025-64118?
CVSS scoring is not yet available for CVE-2025-64118. Check NVD for updates.
Is there a patch for CVE-2025-64118?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.