CVE-2026-23950: node-tar Race Condition Vulnerability

CVE-2026-23950 Overview

A race condition vulnerability has been discovered in node-tar, the popular Tar library for Node.js. Versions up to and including 7.5.3 contain an incomplete handling of Unicode path collisions in the path-reservations system that can lead to arbitrary file overwrite attacks on case-insensitive or normalization-insensitive filesystems.

Critical Impact

This vulnerability enables Symlink Poisoning attacks via race conditions, potentially allowing attackers to overwrite arbitrary files on affected systems through maliciously crafted tar archives.

Affected Products

• node-tar versions up to and including 7.5.3
• Systems running macOS with APFS or HFS+ filesystems
• Applications extracting untrusted tar archives using the node-tar library

Discovery Timeline

• 2026-01-20 - CVE-2026-23950 published to NVD
• 2026-01-20 - Last updated in NVD database

Technical Details for CVE-2026-23950

Vulnerability Analysis

The node-tar library implements a PathReservations system designed to ensure that metadata checks and file operations for the same path are serialized, preventing race conditions where one entry might overwrite another concurrently. However, this safeguard can be bypassed due to improper handling of Unicode normalization on certain filesystems.

On case-insensitive or normalization-insensitive filesystems such as macOS APFS and HFS+, the library fails to properly lock colliding paths. For example, the Unicode character ß (German Eszett) and the ASCII sequence ss are treated as different strings by the library's internal path reservation system using NFD Unicode normalization, but these paths resolve to the same inode on APFS filesystems.

This discrepancy allows an attacker to craft a malicious tar archive containing entries with Unicode-colliding filenames that bypass the internal concurrency safeguards, enabling parallel processing of paths that should be serialized.

Root Cause

The root cause is classified as CWE-176 (Improper Handling of Unicode Encoding). The path-reservations.js module uses NFD Unicode normalization, which treats characters like ß and ss as distinct. However, filesystems like APFS perform their own normalization during file operations, treating these as identical paths. This mismatch between the application-level path tracking and filesystem-level path resolution creates a Time-of-Check Time-of-Use (TOCTOU) race condition.

Attack Vector

An attacker can exploit this vulnerability by creating a malicious tar archive containing two entries with Unicode-colliding names. When extracted on a vulnerable system:

1. The attacker includes a symbolic link entry with one Unicode variant (e.g., ß)
2. A second entry uses the colliding name (e.g., ss) pointing to a sensitive file path
3. Due to the path reservation bypass, both entries are processed in parallel
4. The symlink is created first, and the subsequent file write follows the symlink
5. This results in arbitrary file overwrite at the symlink target location

The attack requires user interaction (extracting a malicious archive) but can be delivered over the network. For detailed technical analysis, see the GitHub Security Advisory.

Detection Methods for CVE-2026-23950

Indicators of Compromise

• Tar archives containing entries with Unicode characters known to normalize differently (e.g., ß, ss, fi, fi)
• Symbolic link entries in tar archives pointing to sensitive system paths
• Unexpected file modifications following tar extraction operations
• Log entries showing parallel processing of path-colliding entries during tar extraction

Detection Strategies

• Monitor tar extraction operations for archives containing symbolic link entries combined with Unicode filenames
• Implement file integrity monitoring on critical system files and application configurations
• Scan incoming tar archives for suspicious Unicode character combinations in filenames
• Review application dependencies for vulnerable node-tar versions using npm audit or similar tools

Monitoring Recommendations

• Enable verbose logging for tar extraction operations in production environments
• Monitor filesystem events for unexpected symlink creation followed by file writes
• Implement alerting for tar extraction operations involving untrusted sources
• Track file modifications to sensitive paths like configuration files and credentials

How to Mitigate CVE-2026-23950

Immediate Actions Required

• Upgrade node-tar to version 7.5.4 or later immediately
• Audit all applications that process tar archives from untrusted sources
• Review recent tar extraction operations for potential exploitation
• Implement symbolic link filtering for tar extraction operations handling untrusted data

Patch Information

The vulnerability has been patched in node-tar version 7.5.4. The fix updates path-reservations.js to use a normalization form that matches the target filesystem's behavior (NFKD), followed by toLocaleLowerCase('en') and then toLocaleUpperCase('en') to ensure proper path collision detection across different filesystem implementations.

The patch can be reviewed in the GitHub commit.

Workarounds

• Filter out all SymbolicLink entries when programmatically extracting arbitrary tarball data (as npm does)
• Implement pre-extraction scanning to detect and reject archives with Unicode-colliding filenames
• Extract tar archives to isolated temporary directories before moving files to final destinations
• Use chroot or container isolation when extracting untrusted tar archives

# Check current node-tar version and upgrade
npm list tar
npm update tar

# Or explicitly install the patched version
npm install tar@7.5.4

# Verify the upgrade
npm list tar