FKIE_CVE-2026-23950

Vulnerability from fkie_nvd - Published: 2026-01-20 01:15 - Updated: 2026-02-18 15:50
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
References
security-advisories@github.comhttps://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6Patch
security-advisories@github.comhttps://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46wExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
isaacs tar *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "D724D370-A0D0-436A-82FD-91AE149B932E",
              "versionEndExcluding": "7.5.4",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `\u00df` and `ss`), allowing them to be processed in parallel. This bypasses the library\u0027s internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `\u00df` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `\u00df` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem\u0027s behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase(\u0027en\u0027)` and then `toLocaleUpperCase(\u0027en\u0027)`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue."
    },
    {
      "lang": "es",
      "value": "node-tar, un Tar para Node.js, tiene una vulnerabilidad de condici\u00f3n de carrera en versiones hasta la 7.5.3 inclusive. Esto se debe a un manejo incompleto de colisiones de rutas Unicode en el sistema \u0027path-reservations\u0027. En sistemas de archivos que no distinguen may\u00fasculas y min\u00fasculas o que no distinguen la normalizaci\u00f3n (como macOS APFS, en el que ha sido probado), la librer\u00eda no logra bloquear rutas en colisi\u00f3n (por ejemplo, \u0027\u00df\u0027 y \u0027ss\u0027), permitiendo que se procesen en paralelo. Esto elude las salvaguardias internas de concurrencia de la librer\u00eda y permite ataques de envenenamiento de enlaces simb\u00f3licos (Symlink Poisoning) a trav\u00e9s de condiciones de carrera. La librer\u00eda utiliza un sistema \u0027PathReservations\u0027 para asegurar que las comprobaciones de metadatos y las operaciones de archivo para la misma ruta se serialicen. Esto previene condiciones de carrera donde una entrada podr\u00eda sobrescribir otra concurrentemente. Esta es una Condici\u00f3n de Carrera que permite la Sobreescritura Arbitraria de Archivos (Arbitrary File Overwrite). Esta vulnerabilidad afecta a usuarios y sistemas que utilizan node-tar en macOS (APFS/HFS+). Debido al uso de la normalizaci\u00f3n Unicode \u0027NFD\u0027 (en la que \u0027\u00df\u0027 y \u0027ss\u0027 son diferentes), las rutas en conflicto no conservan su orden correctamente en sistemas de archivos que ignoran la normalizaci\u00f3n Unicode (por ejemplo, APFS (en el que \u0027\u00df\u0027 causa una colisi\u00f3n de inodos con \u0027ss\u0027)). Esto permite a un atacante eludir bloqueos de paralelizaci\u00f3n internos (\u0027PathReservations\u0027) utilizando nombres de archivo en conflicto dentro de un archivo tar malicioso. El parche en la versi\u00f3n 7.5.4 actualiza \u0027path-reservations.js\u0027 para usar una forma de normalizaci\u00f3n que coincida con el comportamiento del sistema de archivos de destino (por ejemplo, \u0027NFKD\u0027), seguido primero de \u0027toLocaleLowerCase(\u0027en\u0027)\u0027 y luego de \u0027toLocaleUpperCase(\u0027en\u0027)\u0027. Como soluci\u00f3n alternativa, los usuarios que no pueden actualizar r\u00e1pidamente, y que est\u00e1n utilizando \u0027node-tar\u0027 program\u00e1ticamente para extraer datos arbitrarios de tarball deber\u00edan filtrar todas las entradas \u0027SymbolicLink\u0027 (como hace npm) para defenderse contra escrituras de archivos arbitrarias a trav\u00e9s de este problema de colisi\u00f3n de nombres de entradas del sistema de archivos."
    }
  ],
  "id": "CVE-2026-23950",
  "lastModified": "2026-02-18T15:50:29.910",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.3,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-01-20T01:15:57.870",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-176"
        },
        {
          "lang": "en",
          "value": "CWE-352"
        },
        {
          "lang": "en",
          "value": "CWE-367"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-367"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.