node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1464 advisory.

    node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link     (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows     malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via     hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
    (CVE-2026-23745)

    node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This     is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-     insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested),     the library fails to lock colliding paths (e.g., `ss` and `ss`), allowing them to be processed in     parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning     attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks     and file operations for the same path are serialized. This prevents race conditions where one entry might     clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This     vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD`     Unicode normalization (in which `ss` and `ss` are different), conflicting paths do not have their order     properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ss` causes     an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks     (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version     7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's     behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`.
    As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to     extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend     against arbitrary file writes via this file system entry name collision issue. (CVE-2026-23950)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1466 advisory.

    node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link     (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows     malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via     hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
    (CVE-2026-23745)

    node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This     is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-     insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested),     the library fails to lock colliding paths (e.g., `ss` and `ss`), allowing them to be processed in     parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning     attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks     and file operations for the same path are serialized. This prevents race conditions where one entry might     clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This     vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD`     Unicode normalization (in which `ss` and `ss` are different), conflicting paths do not have their order     properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ss` causes     an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks     (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version     7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's     behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`.
    As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to     extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend     against arbitrary file writes via this file system entry name collision issue. (CVE-2026-23950)

    node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check     for hardlink entries uses different path resolution semantics than the actual hardlink creation logic.
    This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections     and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix     for the issue. (CVE-2026-24842)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1465 advisory.

    A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been     rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation     leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of     an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the     public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue.
    The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the     affected component. (CVE-2025-5889)

    node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link     (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows     malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via     hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
    (CVE-2026-23745)

    node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This     is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-     insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested),     the library fails to lock colliding paths (e.g., `ss` and `ss`), allowing them to be processed in     parallel. This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning     attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks     and file operations for the same path are serialized. This prevents race conditions where one entry might     clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This     vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD`     Unicode normalization (in which `ss` and `ss` are different), conflicting paths do not have their order     properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ss` causes     an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks     (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version     7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's     behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`.
    As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to     extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend     against arbitrary file writes via this file system entry name collision issue. (CVE-2026-23950)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-a84e0ad039 advisory.

    Update nodejs modules used by pccs daemon for CVE-2026-23745, CVE-2026-23950, CVE-2026-24842,     CVE-2025-13465, CVE-2025-15284.
    Remove Fedora override of default pccs daemon port.
    Remove redundant dep on mpa_registration from pccs.
    Add system scriptlets for pccs server.
    Port to pycryptography & pyasn1.
    Fix tracebacks in keyring code.


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-f601b2f60a advisory.

    Update to version 20.20.0

    ----

    Update to version 20.19.6




Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This     is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-     insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested),     the library fails to lock colliding paths (e.g., `` and `ss`), allowing them to be processed in parallel.
    This bypasses the library's internal concurrency safeguards and permits Symlink Poisoning attacks via race     conditions. The library uses a `PathReservations` system to ensure that metadata checks and file     operations for the same path are serialized. This prevents race conditions where one entry might clobber     another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability     affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode     normalization (in which `` and `ss` are different), conflicting paths do not have their order properly     preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `` causes an inode     collision with `ss`)). This enables an attacker to circumvent internal parallelization locks     (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version     7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem's     behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase('en')` and then `toLocaleUpperCase('en')`.
    As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to     extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend     against arbitrary file writes via this file system entry name collision issue. (CVE-2026-23950)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
301359	Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1464)	Nessus	Amazon Linux Local Security Checks	high
301345	Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1466)	Nessus	Amazon Linux Local Security Checks	high
301342	Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1465)	Nessus	Amazon Linux Local Security Checks	high
299072	Fedora 43 : linux-sgx (2026-a84e0ad039)	Nessus	Fedora Local Security Checks	high
297442	Fedora 43 : nodejs20 (2026-f601b2f60a)	Nessus	Fedora Local Security Checks	high
293776	Linux Distros Unpatched Vulnerability : CVE-2026-23950	Nessus	Misc.	medium

Detections

Analytics

CVE-2026-23950

medium

Tenable Plugins

high

high

high

high

high

medium