GHSA-29xp-372q-xqph: node-tar has a race condition leading to uninitialized memory exposure

October 30, 2025

Using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read.

References

github.com/advisories/GHSA-29xp-372q-xqph
github.com/isaacs/node-tar
github.com/isaacs/node-tar/commit/5e1a8e638600d3c3a2969b4de6a6ec44fa8d74c9
github.com/isaacs/node-tar/issues/445
github.com/isaacs/node-tar/pull/446
github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph

Code Behaviors & Features

Detect and mitigate GHSA-29xp-372q-xqph with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →