CVE-2026-59873

isaacs · node-tar

The node-tar library for Node.js fails to enforce resource limits during archive extraction, allowing attackers to trigger denial-of-service via crafted gzip bombs.

Executive summary

A critical vulnerability in the isaacs node-tar library allows unauthenticated attackers to cause resource exhaustion by submitting maliciously crafted archives.

Vulnerability

This vulnerability (CWE-770) stems from a failure to enforce hard upper bounds on total decompressed data, entry counts, or decompression ratios. An unauthenticated attacker can supply a crafted archive that exhausts CPU and disk space upon processing.

Business impact

The ability to trigger resource exhaustion poses a significant risk to service availability. Successful exploitation can lead to a complete denial-of-service for applications relying on the library, potentially impacting critical business workflows. Given the CVSS score of 9.2, this vulnerability is considered critical as it allows for trivial exploitation against exposed services.

Remediation

Immediate Action: Update the isaacs node-tar library to version 7.5.19 or later immediately to implement necessary resource constraints.

Proactive Monitoring: Monitor server CPU and disk usage metrics for anomalous spikes during archive processing tasks.

Compensating Controls: Implement strict file size limits and scan all incoming archives via a robust security gateway or sandbox before handing them off to the node-tar processing logic.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability represents a high-risk vector for availability-based attacks. Organizations utilizing node-tar for file uploads or processing must prioritize updating to version 7.5.19 to ensure proper resource management is enforced.