Vulnerability Database

310,222

Total vulnerabilities in the database

CVE-2025-64118

node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

Published: Oct 30, 2025
Updated: Nov 24, 2025
CVE: CVE-2025-64118
GHSA: GHSA-29xp-372q-xqph
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-362
CWE-367

Affected Software
References

Software	From	Fixed in
tar	7.5.1	7.5.1.x
tar	7.5.1	7.5.2

https://github.com/isaacs/node-tar/commit/5330eb04bc43014f216e5c271b40d5c00d45224d
https://github.com/isaacs/node-tar/commit/5e1a8e638600d3c3a2969b4de6a6ec44fa8d74c9
https://github.com/isaacs/node-tar/issues/445
https://github.com/isaacs/node-tar/pull/446
https://github.com/isaacs/node-tar/security/advisories/GHSA-29xp-372q-xqph

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo