CVE-2025-64118 is a concurrency-related vulnerability classified under CWE-362 (Race Condition) and CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition) affecting the node-tar package version 7.5.1, a widely used Node.js library for handling tar archives. The issue arises when the .t (or .list) method is invoked with the { sync: true } option to synchronously read tar entry contents. If the tar file on disk is truncated to a smaller size during the read operation, the method may return uninitialized memory contents instead of valid data. This occurs due to improper synchronization and lack of atomicity in file size checks and reads, allowing a race condition between file modification and reading. The vulnerability can lead to leakage of potentially sensitive memory data, violating confidentiality. Exploitation requires local or low-privilege access to the system where node-tar is used, partial user interaction, and the ability to modify tar files during read operations. The CVSS 4.0 score is 6.1 (medium severity), reflecting the complexity and limited attack vector. The flaw was addressed in node-tar version 7.5.2 by improving synchronization and ensuring safe reads. No public exploits are known at this time. This vulnerability is particularly relevant for applications that process tar files synchronously and may be exposed to concurrent file modifications, such as CI/CD pipelines, build systems, or file extraction services using node-tar 7.5.1.

For European organizations, this vulnerability poses a confidentiality risk as uninitialized memory contents could be exposed, potentially leaking sensitive information such as credentials, tokens, or other in-memory data. Organizations relying on node-tar 7.5.1 in environments where tar files are accessed and modified concurrently—such as automated build servers, container image extraction, or file archival services—may inadvertently expose sensitive data. While the vulnerability does not directly affect system integrity or availability, the data leakage risk can lead to further compromise if sensitive information is obtained by attackers. The requirement for local or low-privilege access and partial user interaction limits remote exploitation but insider threats or compromised accounts could exploit this flaw. European entities in sectors with stringent data protection regulations (e.g., finance, healthcare, government) must be particularly vigilant to avoid data breaches. The medium severity rating indicates a moderate but non-trivial risk that should be addressed promptly to maintain compliance and security posture.

1. Upgrade node-tar to version 7.5.2 or later immediately to incorporate the fix addressing the race condition. 2. Avoid using the .t or .list method with { sync: true } on tar files that may be concurrently modified or truncated during read operations. Prefer asynchronous methods with proper file locking or atomic operations where possible. 3. Implement file integrity monitoring and access controls to prevent unauthorized or concurrent modifications of tar files during processing. 4. Restrict local access and user permissions to minimize the risk of malicious or accidental concurrent file changes. 5. In CI/CD or automated environments, ensure that tar files are stable and immutable during extraction or listing phases. 6. Conduct code reviews and testing to detect similar race conditions in other file handling components. 7. Monitor for any emerging exploits or advisories related to this vulnerability to respond rapidly if exploitation attempts arise.