GHSA-r6q2-hw4h-h46w
Race Condition vulnerability in tar (npm)
What is GHSA-r6q2-hw4h-h46w About?
This Race Condition vulnerability in `node-tar` arises from incomplete handling of Unicode path collisions, specifically related to the 'ß' and 'ss' characters, on case-insensitive filesystems like macOS APFS. It allows threat actors to bypass internal concurrency safeguards, leading to Symlink Poisoning attacks and enabling Arbitrary File Overwrite. Exploitation is moderately complex, requiring carefully crafted tar archives and specific environmental conditions.
Affected Software
Technical Details
The node-tar library (v7.5.3) uses a PathReservations system to serialize metadata checks and file operations for the same path, aiming to prevent race conditions. However, the reserve function, particularly the join(normalizeUnicode(p)).toLowerCase() operation, fails to correctly handle Unicode path collisions on filesystems like macOS APFS where 'ß' and 'ss' are treated as colliding paths while the internal normalizeUnicode function considers them distinct. This discrepancy allows node-tar to process these colliding paths in parallel, bypassing the intended concurrency locks. An attacker can craft a malicious tar archive containing entries with such Unicode-colliding names, exploiting the race condition to perform Symlink Poisoning, which in turn leads to Arbitrary File Overwrite by making one file operation clobber another concurrently executing operation under the same perceived path by the filesystem but not by node-tar's reservation system.
What is the Impact of GHSA-r6q2-hw4h-h46w?
Successful exploitation may allow attackers to achieve arbitrary file overwrite within the target system. This can lead to data corruption, alteration of system configurations, or in conjunction with other vulnerabilities, potentially lead to code execution or privilege escalation.
What is the Exploitability of GHSA-r6q2-hw4h-h46w?
Exploitation of this vulnerability involves crafting a specific tar archive with carefully chosen Unicode-colliding filenames ('ß' and 'ss'). It requires that the node-tar library is processing multiple entries concurrently, which is often facilitated by a high 'jobs' setting in the Unpack options. The attacker needs to deliver the malicious tar archive to a system running node-tar on a case-insensitive or Unicode-normalization-insensitive filesystem (e.g., macOS APFS/HFS+). No prior authentication is explicitly required for the archive processing itself, but the attacker needs a means to supply the archive to the vulnerable application. The attack is remote as it involves supplying a crafted file, but the impact is local to the system processing the archive. The complexity is moderate due to the race condition timing requirements and the need for specific filesystem characteristics.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for GHSA-r6q2-hw4h-h46w?
Available Upgrade Options
- tar
- <7.5.4 → Upgrade to 7.5.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/isaacs/node-tar
- https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6
- https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
- https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w
- https://nvd.nist.gov/vuln/detail/CVE-2026-23950
- https://osv.dev/vulnerability/GHSA-r6q2-hw4h-h46w
- https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6
What are Similar Vulnerabilities to GHSA-r6q2-hw4h-h46w?
Similar Vulnerabilities: CVE-2020-28469 , CVE-2021-39135 , CVE-2022-24348 , CVE-2022-31129 , CVE-2023-45136
