SB2026062676 - Interpretation Conflict in node-tar

Security Bulletin ID SB2026062676

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Interpretation Conflict (CVE-ID: CVE-2026-53655)

CWE-ID: CWE-436 - Interpretation Conflict

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to hide archive members from security tooling or downstream processing.

The vulnerability exists due to interpretation conflict in Header.decode in node-tar's tar parser when parsing an attacker-supplied tar archive containing a PAX extended header before intermediary GNU long-name or long-link headers. A remote attacker can supply a specially crafted archive to hide archive members from security tooling or downstream processing.

The issue occurs because PAX overrides such as size are applied to intermediary metadata headers, which can desynchronize parsing and cause different tar implementations to report different archive contents.

Remediation

Install update from vendor's website.

References

https://github.com/isaacs/node-tar/security/advisories/GHSA-vmf3-w455-68vh