CVE-2026-53655
CVE-2026-53655 is a medium-severity vulnerability in Isaacs Tar with a CVSS 3.x base score of 5.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-436.
Key facts
- Severity: Medium (CVSS 3.x base score 5.5)
- CVSS v4: 6.9
- EPSS exploit prediction: 0% (1st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-38255
- Weakness: CWE-436
- Affected product: Isaacs Tar
- Published:
- Last modified:
Description
node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
Frequently asked questions
- What is CVE-2026-53655?
- node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (node-tar) applies a PAX extended header's size= record (and other PAX overrides) to the next header entry of any type, including intermediary metadata headers such as a GNU long-name (L) or long-link (K) entry. Per POSIX pax, a PAX extended header (x) describes the next file entry, not the intermediary extension headers that may sit between the x header and the file it annotates. Because node-tar lets the PAX size override the byte length of an intervening L/K/x header, an attacker can desynchronize node-tar's stream cursor relative to every other mainstream tar implementation (GNU tar, libarchive/bsdtar, Python tarfile, and the now-fixed tar-rs / astral-tokio-tar). The result is a tar parser interpretation differential (CWE-436): a single crafted archive yields a different set of members under node-tar than under the reference tar tools. An attacker can use this to hide a member from one parser while it is visible to another, which defeats security tooling whose scanner and extractor disagree on archive contents (e.g. a malware/secret scanner that lists entries with one library while a downstream step extracts with another) This vulnerability is fixed in 7.5.16.
- How severe is CVE-2026-53655?
- CVE-2026-53655 has a CVSS 3.x base score of 5.5, rated medium severity. It is exploitable over local access with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2026-53655 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (1st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-53655?
- CVE-2026-53655 affects Isaacs Tar. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-53655?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-53655 have an EU (EUVD) identifier?
- Yes. CVE-2026-53655 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-38255.
- When was CVE-2026-53655 published?
- CVE-2026-53655 was published on 2026-06-22 and last updated on 2026-06-26.
References
Affected products (1)
- cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:*
More vulnerabilities in Isaacs Tar
- CVE-2026-23950 — High (CVSS 8.8): node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an…
- CVE-2026-24842 — High (CVSS 8.2): node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink…
- CVE-2018-20834 — High (CVSS 7.5): A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue…
- CVE-2026-26960 — High (CVSS 7.1): node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an…
- CVE-2024-28863 — Medium (CVSS 6.5): node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the…
- CVE-2026-29786 — Medium (CVSS 6.3): node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that…
All CVEs affecting Isaacs Tar →
Other CWE-436 vulnerabilities
- CVE-2023-24813 — Critical (CVSS 10.0): Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and…
- CVE-2026-8034 — Critical (CVSS 9.8): A server-side request forgery (SSRF) vulnerability was identified in the GitHub Enterprise Server notebook viewer that…
- CVE-2021-45327 — Critical (CVSS 9.8): Gitea before 1.11.2 is affected by Trusting HTTP Permission Methods on the Server Side when referencing the vulnerable…
- CVE-2020-10180 — Critical (CVSS 9.8): The ESET AV parsing engine allows virus-detection bypass via a crafted BZ2 Checksum field in an archive. This affects…
- CVE-2019-19589 — Critical (CVSS 9.8): The Lever PDF Embedder plugin 4.4 for WordPress does not block the distribution of polyglot PDF documents that are…
- CVE-2026-14198 — Critical (CVSS 9.1): @fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching…