CVE-2025-64118: 
JavaScript vulnerability analysis and mitigation

node-tar is a Tar for Node.js that experienced a vulnerability in version 7.5.1 (CVE-2025-64118). The vulnerability occurs when using .t (aka .list) with { sync: true } to read tar entry contents, which can return uninitialized memory contents if the tar file is changed on disk to a smaller size while being read. This vulnerability was discovered in October 2025 and was fixed in version 7.5.2 (GitHub Advisory).

The vulnerability is a race condition (TOCTOU - Time-of-check Time-of-use) that occurs in the synchronous listing functionality. The issue specifically manifests when using the .t method with { sync: true } option. The bug was introduced in version 7.5.1 and occurs when reading tar entry contents if the tar file is modified to a smaller size between the initial file size check and the actual read operation. The vulnerability has been assigned a CVSS v4.0 score of 6.1 (Medium), with the vector string CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H (NVD).

The vulnerability can lead to exposure of process memory, potentially revealing sensitive data such as unrelated file contents, environment variables, and passwords. The impact is conditional on the attacker being able to truncate or induce a truncation/replacement of a file on disk. If the tar file is initially larger than the opt.maxReadSize (16kb by default), the program may enter an infinite loop, causing a denial of service rather than information disclosure (GitHub Advisory).

The vulnerability has been fixed in version 7.5.2 of node-tar. Users are advised to upgrade to this version or use versions prior to 7.5.1, as they are not affected by this vulnerability. The fix ensures consistent TOCTOU behavior in sync t.list operations (GitHub Commit).