{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-23950","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-01-19T14:49:06.312Z","datePublished":"2026-01-20T00:40:48.510Z","dateUpdated":"2026-01-21T20:15:57.278Z"},"containers":{"cna":{"title":"node-tar has Race Condition in Path Reservations via Unicode Ligature Collisions on macOS APFS","problemTypes":[{"descriptions":[{"cweId":"CWE-176","lang":"en","description":"CWE-176: Improper Handling of Unicode Encoding","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-352","lang":"en","description":"CWE-352: Cross-Site Request Forgery (CSRF)","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-367","lang":"en","description":"CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L","version":"3.1"}}],"references":[{"name":"https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w","tags":["x_refsource_CONFIRM"],"url":"https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w"},{"name":"https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6","tags":["x_refsource_MISC"],"url":"https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6"}],"affected":[{"vendor":"isaacs","product":"node-tar","versions":[{"version":"< 7.5.4","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-01-20T00:40:48.510Z"},"descriptions":[{"lang":"en","value":"node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue."}],"source":{"advisory":"GHSA-r6q2-hw4h-h46w","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-21T20:15:29.211170Z","id":"CVE-2026-23950","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-21T20:15:57.278Z"}}]}}