Skip to main content

Node Tar

4 CVEs product

Monthly

CVE-2026-59871 HIGH PATCH This Week

Denial of service in node-tar prior to 7.5.18 allows unauthenticated network-reachable attackers to crash Node.js processes by submitting crafted tar archives containing all-digit PAX header path or linkpath values. The library incorrectly coerces these string values to JavaScript numbers in src/pax.ts, causing downstream path handling (normalizeWindowsPath(entry.path).split('/')) to throw an uncaught TypeError when it attempts to call a string method on a numeric value. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Node.js Information Disclosure Node Tar
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-59874 HIGH PATCH This Week

Denial of service in node-tar prior to 7.5.18 allows remote attackers to hang a Node.js application by feeding it a crafted tar archive: a checksum-valid header carrying a negative base-256 encoded entry size makes the tar.replace scanner advance zero bytes and re-parse the same header forever. No public exploit or active exploitation is identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects the high, easily-reachable availability impact. Only applications that call tar.replace on untrusted archive input are affected.

Node.js Denial Of Service Node Tar
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59873 CRITICAL PATCH NEWS Act Now

Uncontrolled resource consumption in node-tar before 7.5.19 lets a small crafted gzip bomb exhaust disk space and CPU on any Node.js application that extracts or parses attacker-supplied tar archives. Because node-tar imposes no upper bound on total decompressed size, entry count, or compression ratio in its extract and parse paths, a tiny malicious file can inflate to consume all available storage and processing, causing denial of service. No public exploit has been identified, but the fix is a straightforward, well-documented behavior change published in the vendor advisory GHSA-23hp-3jrh-7fpw.

Node.js Denial Of Service Node Tar
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-59875 MEDIUM PATCH This Month

Process termination via crafted tar archive affects node-tar prior to 7.5.17, where NUL bytes in PAX path and linkpath header records are not sanitized before being passed to Node.js filesystem calls. Any application using node-tar to extract untrusted archives is susceptible to denial of service through an uncaught exception that crashes the Node.js process. No confirmed active exploitation or public exploit code has been identified at time of analysis; however, the low attack complexity (CVSS AC:L, PR:N) makes this trivial to trigger wherever attacker-controlled archive input reaches a vulnerable node-tar instance.

Node.js Information Disclosure Node Tar
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in node-tar prior to 7.5.18 allows unauthenticated network-reachable attackers to crash Node.js processes by submitting crafted tar archives containing all-digit PAX header path or linkpath values. The library incorrectly coerces these string values to JavaScript numbers in src/pax.ts, causing downstream path handling (normalizeWindowsPath(entry.path).split('/')) to throw an uncaught TypeError when it attempts to call a string method on a numeric value. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Node.js Information Disclosure Node Tar
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in node-tar prior to 7.5.18 allows remote attackers to hang a Node.js application by feeding it a crafted tar archive: a checksum-valid header carrying a negative base-256 encoded entry size makes the tar.replace scanner advance zero bytes and re-parse the same header forever. No public exploit or active exploitation is identified at time of analysis, but the CVSS 4.0 base score of 8.7 reflects the high, easily-reachable availability impact. Only applications that call tar.replace on untrusted archive input are affected.

Node.js Denial Of Service Node Tar
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Uncontrolled resource consumption in node-tar before 7.5.19 lets a small crafted gzip bomb exhaust disk space and CPU on any Node.js application that extracts or parses attacker-supplied tar archives. Because node-tar imposes no upper bound on total decompressed size, entry count, or compression ratio in its extract and parse paths, a tiny malicious file can inflate to consume all available storage and processing, causing denial of service. No public exploit has been identified, but the fix is a straightforward, well-documented behavior change published in the vendor advisory GHSA-23hp-3jrh-7fpw.

Node.js Denial Of Service Node Tar
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Process termination via crafted tar archive affects node-tar prior to 7.5.17, where NUL bytes in PAX path and linkpath header records are not sanitized before being passed to Node.js filesystem calls. Any application using node-tar to extract untrusted archives is susceptible to denial of service through an uncaught exception that crashes the Node.js process. No confirmed active exploitation or public exploit code has been identified at time of analysis; however, the low attack complexity (CVSS AC:L, PR:N) makes this trivial to trigger wherever attacker-controlled archive input reaches a vulnerable node-tar instance.

Node.js Information Disclosure Node Tar
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy