Uninitialized Memory Disclosure in Node.js Tar Package
CVE-2025-64118

6.1MEDIUM

Key Information:

Vendor

Isaacs

Status
Node-tar
Vendor
CVE Published:
30 October 2025

What is CVE-2025-64118?

The node-tar package version 7.5.1 for Node.js has a vulnerability that can lead to uninitialized memory content being returned when reading tar entry contents. This occurs specifically when the .t (or .list) option is used with the { sync: true } parameter, and a tar file has been modified on disk to a smaller size during the read operation. The issue has been addressed in version 7.5.2, which mitigates the risk associated with this flaw.

Affected Version(s)

node-tar = 7.5.1

References

https://github.com/isaacs/node-tar/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/isaacs/node-tar/issues/445
x_refsource_MISC
https://github.com/isaacs/node-tar/pull/446
x_refsource_MISC

CVSS V4

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.