CVE-2026-23950
Unknown Unknown - Not Provided
Race Condition in node-tar Allows Symlink Poisoning on macOS

Publication date: 2026-01-20

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23950
EUVD
EUVD-2026-3595
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
isaacs tar to 7.5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-176 The product does not properly handle when an input contains Unicode encoding.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in node-tar (versions up to 7.5.3) is a race condition caused by improper handling of Unicode path collisions on case-insensitive or normalization-insensitive filesystems like macOS APFS. The library's PathReservations system, which is supposed to serialize file operations on the same path to prevent conflicts, fails to properly lock paths that appear different under Unicode normalization but collide on the filesystem (e.g., 'ß' and 'ss'). This allows parallel processing of colliding paths, bypassing concurrency safeguards and enabling Symlink Poisoning attacks and arbitrary file overwrites during tarball extraction. [1]

Impact Analysis

The vulnerability can lead to arbitrary file overwrites and Symlink Poisoning attacks during extraction of malicious tar archives. This means an attacker can exploit the race condition to overwrite or create files they should not have access to, potentially leading to unauthorized code execution, data corruption, or system compromise on affected systems using node-tar on macOS filesystems. [1]

Detection Guidance

Detection of this vulnerability involves identifying usage of node-tar versions up to and including 7.5.3 on macOS systems using APFS or HFS+ filesystems, especially when extracting tarballs containing symbolic links or filenames with Unicode ligatures that may cause path collisions (e.g., 'ß' and 'ss'). While no specific commands are provided in the resources, users should audit their systems for node-tar package versions and monitor extraction processes for suspicious parallel processing of colliding paths or unexpected file overwrites. Filtering out symbolic link entries during extraction can also help detect attempts to exploit this issue. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading node-tar to version 7.5.4 or later, which contains the patch that improves Unicode normalization and path reservation handling to prevent this race condition. If upgrading promptly is not possible, users should programmatically filter out all symbolic link entries during tarball extraction to prevent arbitrary file writes via filename collisions, as done by npm. These steps reduce the risk of Symlink Poisoning and arbitrary file overwrite attacks on affected macOS filesystems. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23950. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart