CVE-2025-64118: node-tar has a race condition leading to uninitialized memory exposure
Using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read.
References
- github.com/advisories/GHSA-29xp-372q-xqph
- github.com/isaacs/node-tar
- github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d
- github.com/isaacs/node-tar/commit/5e1a8e638600d3c3a2969b4de6a6ec44fa8d74c9
- github.com/isaacs/node-tar/issues/445
- github.com/isaacs/node-tar/pull/446
- github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph
- nvd.nist.gov/vuln/detail/CVE-2025-64118
Code Behaviors & Features
Detect and mitigate CVE-2025-64118 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →