CVE-2026-53655

node-tar (node-tar) before version 7.5.16 is vulnerable: it applies a PAX extended header size override to the next header entry, including intermediary L/K/x headers, which desynchronizes the stream cursor from other tar implementations. This yields a tar-parser interpretation differential (CWE-...

CVE-2026-53655 node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next header entry of any type, including intermediary metadata headers such as a GNU long-name L or long-link K entry. Per POSIX pax, a PAX extend...

node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

Summary tar node-tar applies a PAX extended header's size= record and other PAX overrides to the next header entry of any type, including intermediary metadata headers such as a GNU long-name L or long-link K entry. Per POSIX pax, a PAX extended header x describes the next file entry, not the...

CVE-2026-32766

astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser...

CVE-2026-32766

astral-tokio-tar is a tar archive reading/writing library for async Rust. In versions 0.5.6 and earlier, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser...

Insufficient validation of PAX extensions during extraction

In versions 0.5.6 and earlier of astral-tokio-tar, malformed PAX extensions were silently skipped when parsing tar archives. This silent skipping rather than rejection of invalid PAX extensions could be used as a building block for a parser differential, for example by silently skipping a malform...

BIT-PYTHON-MIN-2025-13462 tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling

The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations...

BIT-LIBPYTHON-2025-13462 tarfile: Skip DIRTYPE normalization during GNU LONGNAME/LONGLINK handling

The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations...

CVE-2025-13462

The "tarfile" module would still apply normalization of AREGTYPE \x00 blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPELONGNAME or GNUTYPELONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations...

CVE-2002-2164

Buffer overflow in Microsoft Outlook Express 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service crash via a long link...

libarchive 安全漏洞

libarchive is a multi-format archive and compression library open-sourced by libarchive. A security vulnerability exists in libarchive 3.7.7 and earlier versions, which stems from a heap-based buffer over-read due to incorrect handling of truncation in the middle of GNU long link names...

firefox: thunderbird: Origin of permission prompt could be spoofed by long URL

A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: Truncation of a long URL could have allowed origin spoofing in a permission prompt...

firefox: thunderbird: Origin of permission prompt could be spoofed by long URL

A flaw was found in Mozilla. The Mozilla Foundation's Security Advisory describes the following issue: Truncation of a long URL could have allowed origin spoofing in a permission prompt...

UBUNTU-CVE-2024-10462

Truncation of a long URL could have allowed origin spoofing in a permission prompt. This vulnerability affects Firefox 132, Firefox ESR 128.4, Thunderbird 128.4, and Thunderbird 132...

CVE-2021-46901

examples/6lbr/apps/6lbr-webserver/httpd.c in CETIC-6LBR aka 6lbr 1.5.0 has a strcat stack-based buffer overflow via a request for a long URL over a 6LoWPAN network...

SUSE CVE-2019-9675

An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phartarwriteheadersint in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: "This issue...

Mozilla Firefox 输入验证错误漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. Mozilla Firefox suffers from an input validation error vulnerability that originates from insufficient validation of URLs, which can be exploited by an attacker to trick a victim into clicking on a ver...

AZL-37054 CVE-2019-17414 affecting package vino 3.22.0-20

tinylcy Vino through 2017-12-15 allows remote attackers to cause a denial of service "vngetstring error: Resource temporarily unavailable" error and daemon crash via a long URL...

CVE-2019-9675

Removed by vendor...

CVE-2019-9675

An issue was discovered in PHP 7.x before 7.1.27 and 7.3.x before 7.3.3. phartarwriteheadersint in ext/phar/tar.c has a buffer overflow via a long link value. NOTE: The vendor indicates that the link value is used only when an archive contains a symlink, which currently cannot happen: "This issue...