The vulnerability in node-tar (prior to 7.5.16) involves incorrect handling of PAX extended headers, specifically the size= record, which node-tar applies to the next header entry regardless of its type, including intermediary metadata headers like GNU long-name (L) or long-link (K) entries. According to POSIX pax standards, a PAX extended header should describe the next file entry, not intermediary extension headers. This misinterpretation causes node-tar's stream cursor to become desynchronized relative to other tar implementations such as GNU tar, libarchive/bsdtar, and Python tarfile. This discrepancy creates a tar parser interpretation differential (CWE-436), enabling attackers to craft archives that present different member sets depending on the parser used. This can be exploited to hide files from security scanners that use one parser while allowing extraction by another. The issue is resolved in node-tar version 7.5.16.

The impact is that attackers can create tar archives that appear differently to node-tar compared to other standard tar parsers. This can be used to evade detection by security tools that list archive contents with one parser but extract with another, potentially allowing malicious or sensitive files to be hidden from scanners. There is no indication of remote code execution or privilege escalation directly from this vulnerability. No known exploits in the wild have been reported.

A fix is available in node-tar version 7.5.16. Users and organizations should upgrade to version 7.5.16 or later to resolve this vulnerability. Since no vendor advisory content is provided, patch status is inferred from the description stating the issue is fixed in 7.5.16. No additional mitigations are indicated.