Threat Intel

v0.1

← CVEs

CVE-2026-23950

HIGH 8.8
Published
2026-01-20
Last Modified
2026-02-18
Affected Apps
23
Affected Devices
189
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
Affected Applications in Environment 23
tar v1.35+dfsg-3build1
58 devices
tar v1.34+dfsg-1+deb11u1
12 devices
tar v2:1.34-7.el9
26 devices
tar v1.34+dfsg-1.2+deb12u1
17 devices
tar v1.34+dfsg-1ubuntu0.1.22.04.2
27 devices
tar v1.30+dfsg-7ubuntu0.20.04.4
11 devices
tar v1.35+dfsg-3.1
12 devices
tar v2:1.30-11.el8_10
5 devices
tar v1.35+dfsg-3.1
1 device
tar v1.28-2.1ubuntu0.2
3 devices
tar v2:1.30-11.el8_10
2 devices
tar v2:1.34-9.el9_7
1 device
tar v2:1.34-9.el9_7
1 device
tar v1.29b-2ubuntu0.4
1 device
tar v2:1.26-35.el7
1 device
tar v2:1.34-9.el9_7
2 devices
tar v1.30+dfsg-6+deb10u1
1 device
tar v1.28-2.1ubuntu0.2+esm3
1 device
tar v2:1.35-9.el10_1
1 device
tar v2:1.30-9.el8
1 device
tar v2:1.30-9.el8
3 devices
tar v2:1.34-7.el9
1 device
tar v1.27.1-1ubuntu0.1
1 device
Affected Devices 189
2ua5171h8k Linux DPCOMPdemoserver Linux DPNCHA-194733 Linux acmedns Linux administrator-SYS-4029GP-TRT2 Linux aggietower Linux ah-ots Linux atc.db.usu.edu Linux auto-score Linux awep1 Linux bacha25 Linux bennett-HP-Z2-SFF-G4-Workstation Linux blakeutil Linux bloodhound Linux capahab Linux cceredcapdb Linux cceredcapweb Linux chat Linux chela03 Linux chela04 Linux chela05 Linux cleanaddressdev.banner.usu.edu Linux csf Linux devjobsub.banner.usu.edu Linux dispatch Linux dist Linux dpapsb-161390.aggies.usu.edu Linux dpapsb-191594.mypc.usu.edu Linux e911-provision Linux educweb Linux el103-02.ece.usu.edu Linux el103-03.ece.usu.edu Linux el103-04.ece.usu.edu Linux el103-05.ece.usu.edu Linux el103-07.ece.usu.edu Linux el103-08.ece.usu.edu Linux el103-09.ece.usu.edu Linux el103-10.ece.usu.edu Linux el103-14.ece.usu.edu Linux el103-15.ece.usu.edu Linux el103-16.ece.usu.edu Linux el103-17.ece.usu.edu Linux el103-18.ece.usu.edu Linux el103-19.ece.usu.edu Linux el103-20.ece.usu.edu Linux el120-01.ece.usu.edu Linux el120-02.ece.usu.edu Linux el120-03.ece.usu.edu Linux el120-04.ece.usu.edu Linux el120-05.ece.usu.edu Linux el120-06.ece.usu.edu Linux el120-08.ece.usu.edu Linux el120-09.ece.usu.edu Linux el120-10.ece.usu.edu Linux el120-11.ece.usu.edu Linux el120-12.ece.usu.edu Linux el120-14.ece.usu.edu Linux elend Linux emby Linux eprocdev.banner.usu.edu Linux ezidadmin Linux ezri-utility-01 Linux facreadyprod.pplant.usu.edu Linux facreadytestrhel.pplant.usu.edu Linux facshibsp2.pplant.usu.edu Linux finch Linux flexnet Linux flo-rida Linux fw Linux gravekeeper Linux gul4.usu.edu Linux guru.cluster Linux hackedpasswords Linux hotcheeto Linux infosec-grafana Linux intune-mcc1 Linux intune-mcc3 Linux iperf Linux itfinance Linux itls-wp Linux jed Linux joek-HP-Z2-SFF-G9-Workstation-Desktop-PC Linux kcm.usu.edu Linux kena-utility Linux kmlab Linux ldap-lb01 Linux ldap-lb02 Linux libki-server Linux librenms Linux librenmsdb Linux log Linux lumbermill Linux mail Linux mail Linux minemeld Linux mirror3 Linux miscdata Linux miscnet Linux monitor01 Linux monitor02 Linux my1 Linux my2 Linux mysql02 Linux netbox Linux nt Linux omekanew Linux oms.db.usu.edu Linux owenclarke-OptiPlex-7090 Linux paymentworksdev.banner.usu.edu Linux portscan01 Linux portscan02 Linux privatebin Linux promnet Linux rcbd Linux rcdb-dev Linux redcapweb Linux refraction Linux s2backups Linux seaweed Linux second-thrifted-tractor Linux sectap1 Linux sentry Linux server1mathusuedu Linux server2math Linux soc Linux solar Linux spencer-funk-HP-Z2-SFF-G5-Workstation Linux starfleetpad Linux steesh Linux storm Linux strat Linux svn.usu.edu Linux sympa.ser321.usu.edu Linux sys-serv-l-301-data Linux thegrid Linux thinkstation Linux thnotes Linux tsutil.it.usu.edu Linux vinmathusuedu Linux vrtour Linux web-lb-stage.usu.edu Linux web-lb01-redirect.usu.edu Linux web-lb01.usu.edu Linux web-lb02-redirect.usu.edu Linux web-lb02.usu.edu Linux web-lb03-redirect.usu.edu Linux web-lb03.usu.edu Linux web-lb04.usu.edu Linux web02.usu.edu Linux web03.usu.edu Linux web04a Linux web05 Linux web06 Linux web08.usu.edu Linux web09.usu.edu Linux web10 Linux web10-awhc Linux web10-awhc Linux web11.usu.edu Linux web12.usu.edu Linux web13.usu.edu Linux web14.usu.edu Linux web15.usu.edu Linux web16.usu.edu Linux web17 Linux web18 Linux web19.usu.edu Linux web20 Linux web21 Linux web22 Linux web23 Linux web24 Linux web25 Linux web27.usu.edu Linux web28 Linux web29.usu.edu Linux web30.usu.edu Linux web31.usu.edu Linux web32.usu.edu Linux web33.usu.edu Linux web34.usu.edu Linux web35.usu.edu Linux web36.usu.edu Linux web37.usu.edu Linux webs.usu.edu Linux webtools Linux wpad Linux yasls Linux zldtst.db.usu.edu Linux
References 2