Home > Vulnerability Database > CVE-2025-64118

Mend.io Vulnerability Database

CVE-2025-64118

Good to know:

Date: October 30, 2025

node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

Severity Score

6.6

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64118

Url: https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d

Url: https://github.com/isaacs/node-tar/commit/5e1a8e638600d3c3a2969b4de6a6ec44fa8d74c9

Url: https://github.com/isaacs/node-tar/issues/445

Url: https://github.com/isaacs/node-tar/pull/446

Url: https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph

Url: https://github.com/isaacs/node-tar

Url: https://www.mend.io/vulnerability-database/CVE-2025-64118

Severity Score

6.6

Weakness Type (CWE)

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-367

Top Fix

Upgrade Version

Upgrade to version tar - 7.5.2

Learn More

CVSS v3.1

Base Score:	6.6
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64118

Good to know:

Date: October 30, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?