Tar package in base node installed has CVE-2025-64118

[keithboone]

Version

v24.11.0

Platform

Linux 5.10.245-241.976.amzn2.x86_64 nodejs/node#1 SMP Tue Oct 21 22:09:08 UTC 2025 x86_64 Linux

Subsystem

tar

What steps will reproduce the bug?

See public reporting on CVE-2025-64118

How often does it reproduce? Is there a required condition?

Every build since yesterday of this base image.

What is the expected behavior? Why is that the expected behavior?

No CVE detected on base node installation.

What do you see instead?

AWS Inspector reports medium CVE: CVE-2025-64118

Additional information

No response

[ljharb]

Is this an issue with the docker image, then, and not the standard node release?

[MikeMcC399]

@ljharb

Is this an issue with the docker image, then, and not the standard node release?

I can't speak for the original poster, however there is an issue with npm@11.6.1, packaged with Node.js 24.11.0 and Node.js 25.1.0 and installed in a Docker image.

Reproducible with:

trivy image --ignore-unfixed --pkg-types library --scanners vuln node:24.11.0
trivy image --ignore-unfixed --pkg-types library --scanners vuln node:25.1.0

├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤
│ usr/local/lib/node_modules/npm/node_modules/tar/package.json                     │ node-pkg │        1        │
├──────────────────────────────────────────────────────────────────────────────────┼──────────┼─────────────────┤

Node.js (node-pkg)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

┌────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│      Library       │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                         Title                          │
├────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ tar (package.json) │ CVE-2025-64118 │ MEDIUM   │ fixed  │ 7.5.1             │ 7.5.2         │ node-tar has a race condition leading to uninitialized │
│                    │                │          │        │                   │               │ memory exposure                                        │
│                    │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-64118             │
└────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

According to wolfi-dev/advisories#25125 it seems this may be a false positive.

[mikehaas763]

AWS Inspector flagged this for me coming from the container images FROM node:24-alpine

[MikeMcC399]

@mikehaas763

AWS Inspector flagged this for me coming from the container images FROM node:24-alpine

I wouldn't expect any change unless security scanners are trained to ignore this false positive in npm, or until npm@11.6.3 is released (see npm/cli#8671) and then bundled into a Node.js release.

I don't believe there is anything that Node.js can do about this security warning at the moment.

[MikeMcC399]

npm@11.6.3, released Nov 19, 2025, includes tar@7.5.2 so now it's just a question of the regular Node.js release process picking up the latest npm version.