Bug 2407440 (CVE-2025-64118) - CVE-2025-64118 node-tar: tar: node-tar: Information disclosure via reading a truncated tar file
Summary: CVE-2025-64118 node-tar: tar: node-tar: Information disclosure via reading a ...
Keywords:
Status: NEW
Alias: CVE-2025-64118
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2431062 2431063 2431065 2431067 2431068 2431070 2431071 2431072 2431073 2431074 2431075 2431076 2431077 2431078 2431080 2431081 2431082 2431083 2431084 2431085 2431087 2431089 2431091 2431064 2431066 2431069 2431079 2431093
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-10-30 18:01 UTC by OSIDB Bzimport
Modified: 2026-01-20 05:01 UTC (History)
157 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-10-30 18:01:42 UTC 
node-tar is a Tar for Node.js. In 7.5.1, using .t (aka .list) with { sync: true } to read tar entry contents returns uninitialized memory contents if tar file was changed on disk to a smaller size while being read. This vulnerability is fixed in 7.5.2.
Note You need to log in before you can comment on or make changes to this bug.