CVE-2025-64118 MEDIUM

CVE-2025-64118: node-tar vulnerable to race condition leading to uninitialized memory exposure

Vendor Isaacs
Product node-tar
Weakness CWE-362
Published October 30, 2025
Last update October 30, 2025

CVSS base score

6.1/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H

What the vulnerability does

01Description

node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.

Key dates

02Disclosure timeline

October 30, 2025 CVE published
October 30, 2025 Record updated