CVE-2025-64118: 
JavaScript vulnerability analysis and mitigation

node-tar is a Tar utility for Node.js that was found to contain a vulnerability (CVE-2025-64118) in version 7.5.1. The vulnerability was discovered on October 27, 2025, and involves a race condition that can lead to uninitialized memory exposure when using the .t (list) function with { sync: true } option. This occurs specifically when a tar file is changed on disk to a smaller size while being read (GitHub Advisory).

The vulnerability is caused by a race condition in the synchronous listing functionality where uninitialized memory contents are returned if the tar file is modified during processing. The issue occurs specifically when using .t (aka .list) with { sync: true } option. The vulnerability has been assigned a CVSS v4.0 score of 6.1 (Medium) with the vector string CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H. The bug was introduced in commit 5330eb0 and has been classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-367 (Time-of-check Time-of-use Race Condition) (NVD).

The vulnerability can expose process memory, potentially revealing sensitive data such as unrelated file contents, environment variables, and passwords. The exposure occurs when an attacker can reduce the file size to a boundary between a tar header and body block during the critical time window between the tar archive file size being read via stat and the tar archive parser reaching the truncated entry (GitHub Advisory).

The vulnerability has been fixed in version 7.5.2. Users are advised to upgrade to this version or use versions prior to 7.5.1, as they are not affected by this vulnerability. The fix ensures proper handling of file size changes during processing (GitHub Advisory).