Bug 2431036 (CVE-2026-23950)
| Summary: | CVE-2026-23950 node-tar: tar: node-tar: Arbitrary file overwrite via Unicode path collision race condition | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aazores, abarbaro, abrianik, abuckta, akostadi, alcohan, alizardo, amasferr, anjoseph, anpicker, anthomas, aschwart, asoldano, aszczucz, ataylor, bbaranow, bbrownin, bdettelb, bmaxwell, boliveir, bparees, brian.stansberry, bstansbe, carogers, caswilli, cmah, darran.lofthouse, dbosanac, dbruscin, dfreiber, dhanak, dkuc, dlofthou, dmayorov, doconnor, dosoudil, drichtar, drosa, drow, dschmidt, dsimansk, dymurray, eaguilar, ebaron, eborisov, ehelms, erezende, ggainey, ggrzybek, gmalinko, gparvin, haoli, hasun, hkataria, ibek, ibolton, istudens, ivassile, iweiss, jajackso, janstey, jbalunas, jburrell, jcammara, jcantril, jchui, jfula, jhe, jkoehler, jlanda, jlledo, jmatthew, jmitchel, jmontleo, jneedle, jolong, jowilson, jprabhak, jraez, jreimann, jrokos, juwatts, kaycoth, kegrant, kingland, koliveir, kshier, ktsao, kvanderr, kverlaen, lball, lchilton, lphiri, mabashia, manissin, mattdavi, matzew, mdessi, mhulan, mnovotny, mosmerov, mposolda, mrizzi, mstipich, msvehla, nboldt, ngough, nmoumoul, nwallace, nyancey, oaljalju, ometelka, orabin, osousa, owatkins, pahickey, pantinor, parichar, pberan, pbohmill, pbraun, pcattana, pcreech, pdelbell, pesilva, pgaikwad, pjindal, pmackay, psrna, ptisnovs, rchan, rexwhite, rhaigner, rjohnson, rmartinc, rojacob, rstancel, rstepani, sausingh, sdawley, sfeifer, shvarugh, simaishi, slucidi, smaestri, smallamp, smcdonal, sseago, ssilvert, stcannon, sthirugn, sthorger, syedriko, tasato, teagle, tfister, thavo, thjenkin, tmalecek, tom.jenkinson, tsedmik, vdosoudi, veshanka, vkumar, vmuzikar, wtam, xdharmai, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in node-tar, a library for Node.js. This race condition vulnerability occurs due to incomplete handling of Unicode path collisions within the `path-reservations` system on case-insensitive filesystems, such as macOS APFS. A remote attacker can exploit this by providing a specially crafted tar archive containing filenames that cause these collisions, bypassing internal concurrency safeguards. Successful exploitation can lead to arbitrary file overwrite.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2431086, 2431098, 2431103, 2431105, 2431106, 2431108, 2431109, 2431113, 2431115, 2431116, 2431088, 2431090, 2431092, 2431094, 2431095, 2431096, 2431097, 2431099, 2431100, 2431101, 2431102, 2431104, 2431107, 2431110, 2431111, 2431112, 2431114, 2431117 | ||
| Bug Blocks: | |||
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.