Scharfes S, Sharp Claws: Breaking Node-Tar with Unicode Ligatures
Vulnerability ID: CVE-2026-23950
CVSS Score: 8.8
Published: 2026-01-21
A high-severity race condition in the popular node-tar library allows arbitrary file overwrites on macOS systems. The vulnerability stems from a mismatch between how the library normalizes Unicode path names and how the APFS filesystem handles character ligatures (like the German 'ß'), bypassing concurrency safeguards.
TL;DR
Node-tar's locking mechanism failed to account for macOS filesystem quirks where characters like 'ß' and 'ss' are identical. This allowed attackers to bypass path reservations, leading to a race condition where a malicious symlink could be swapped in during file extraction, causing arbitrary file overwrites.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-367 (TOCTOU Race Condition)
- Secondary CWE: CWE-176 (Improper Handling of Unicode Encoding)
- CVSS: 8.8 (High)
- Attack Vector: Network (Malicious Tarball)
- Platform: macOS / Node.js
- EPSS Score: 0.00014 (Low Probability)
Affected Systems
- macOS (APFS filesystem)
- macOS (HFS+ filesystem)
- Node.js applications using
node-tar<= 7.5.3 -
node-tar: <= 7.5.3 (Fixed in:
7.5.4)
Code Analysis
Commit: 3b1abfa
Fix race condition in path reservation by improving unicode normalization
export const normalizeUnicode = (s: string): string => s.normalize('NFD').toLocaleLowerCase('en').toLocaleUpperCase('en')
Mitigation Strategies
- Upgrade
node-tarto version 7.5.4 or higher immediately. - Set
jobs: 1in extraction options to disable concurrency, eliminating the race condition window. - Implement a filter to reject
SymbolicLinkentries during extraction.
Remediation Steps:
- Run
npm ls node-tarto identify vulnerable dependencies. - Update the package.json to pin
node-tarto^7.5.4. - Run
npm update node-tar. - Verify the installed version with
npm list node-tar.
References
Read the full report for CVE-2026-23950 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)