CVE-2025-64118 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2025-64118

CVE-2025-64118

October 30, 2025

node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

Affected Packages

tar (NPM):

Affected version(s) =7.5.1 <7.5.2

Fix Suggestion:

Update to version 7.5.2

Related Resources (7)

https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph

https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d

https://github.com/isaacs/node-tar/commit/5e1a8e638600d3c3a2969b4de6a6ec44fa8d74c9

https://github.com/isaacs/node-tar/pull/446

https://github.com/isaacs/node-tar/issues/445

https://github.com/isaacs/node-tar

https://nvd.nist.gov/vuln/detail/CVE-2025-64118

Do you need more information?

CVSS v4

Base Score:

6.1

Attack Vector

LOCAL

Attack Complexity

HIGH

Attack Requirements

PRESENT

Privileges Required

LOW

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

HIGH

Subsequent System Integrity

HIGH

Subsequent System Availability

HIGH

CVSS v3

Base Score:

6.6

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

LOW

Weakness Type (CWE)

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-362

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-367

EPSS

Base Score:

0.01

Products

Solutions

Resources

Company

Compare

Developer Tools