CVE-2026-59873
isaacs · node-tar
The node-tar library for Node.js fails to enforce resource limits during archive extraction, allowing attackers to trigger denial-of-service via crafted gzip bombs.
Executive summary
A critical vulnerability in the isaacs node-tar library allows unauthenticated attackers to cause resource exhaustion by submitting maliciously crafted archives.
Vulnerability
This vulnerability (CWE-770) stems from a failure to enforce hard upper bounds on total decompressed data, entry counts, or decompression ratios. An unauthenticated attacker can supply a crafted archive that exhausts CPU and disk space upon processing.
Business impact
The ability to trigger resource exhaustion poses a significant risk to service availability. Successful exploitation can lead to a complete denial-of-service for applications relying on the library, potentially impacting critical business workflows. Given the CVSS score of 9.2, this vulnerability is considered critical as it allows for trivial exploitation against exposed services.
Remediation
Immediate Action: Update the isaacs node-tar library to version 7.5.19 or later immediately to implement necessary resource constraints.
Proactive Monitoring: Monitor server CPU and disk usage metrics for anomalous spikes during archive processing tasks.
Compensating Controls: Implement strict file size limits and scan all incoming archives via a robust security gateway or sandbox before handing them off to the node-tar processing logic.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability represents a high-risk vector for availability-based attacks. Organizations utilizing node-tar for file uploads or processing must prioritize updating to version 7.5.19 to ensure proper resource management is enforced.