[GHSA-29xp-372q-xqph] node-tar has a race condition leading to uninitialized memory exposure

[aiob3]

Updates

• CVSS v4
• Severity

Comments
need to improve security

[github]

Hi there @isaacs! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[aiob3]

Improve Security codebase

[Copilot]

Pull Request Overview

This PR updates a GitHub security advisory (GHSA-29xp-372q-xqph) for CVE-2025-64118 to reflect revised severity metrics. The changes update the CVSS v4.0 score vector and the overall severity rating from MODERATE to HIGH, along with a minor timestamp update.

• Updated CVSS v4.0 score vector with different attack vector, complexity, and impact metrics
• Increased severity classification from MODERATE to HIGH
• Updated modification timestamp

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[isaacs]

The attack vector is incorrect. An attacker must have file write access to the tarball being unpacked, in order to truncate it to the appropriate boundary. So, N is incorrect, they need Local access.

Also, you've changed the Attack Complexity to low, but the description and multiple mitigation factors mean that it is actually an extremely high complexity attack. An attacker must know exactly when and to what boundary to truncate a tar file, and it only results in information disclosure in certain circumstances requiring that the system admin has chosen to do very unusual and non-default behaviors in their code.

I do not approve of this change.