CVE-2026-23950

Name of the Vulnerable Software and Affected Versions node-tar versions up to and including 7.5.3

Description node-tar, a Tar for Node.js, contains a race condition due to incomplete handling of Unicode path collisions within the path-reservations system. This issue occurs on case-insensitive or normalization-insensitive filesystems, such as macOS APFS, where colliding paths (e.g., ß and ss) are not properly locked. This allows parallel processing, bypassing internal concurrency safeguards and enabling Symlink Poisoning attacks via race conditions. The vulnerability allows an attacker to circumvent internal parallelization locks using conflicting filenames within a malicious tar archive. The issue is related to the use of NFD Unicode normalization, which does not preserve the order of conflicting paths on filesystems that ignore Unicode normalization. The vulnerability enables a Race Condition which enables Arbitrary File Overwrite.

Recommendations node-tar versions up to and including 7.5.3 should be upgraded to version 7.5.4. As a workaround, filter out all SymbolicLink entries when programmatically extracting arbitrary tarball data.