CVE-2026-59874
isaacs · node-tar
The node-tar library is vulnerable to an infinite loop condition when processing malformed tar archives, resulting in denial-of-service.
Executive summary
A high-severity denial-of-service vulnerability in node-tar can be exploited by processing malicious archives, causing the application to hang.
Vulnerability
The library is susceptible to an infinite loop (CWE-835) during the processing of archive files. An unauthenticated attacker can trigger this condition by providing a specially crafted tar archive to the application.
Business impact
The vulnerability can be used to cause an application crash or indefinite hang, leading to service downtime. With a CVSS score of 8.7, this represents a significant threat to any service or pipeline that processes untrusted tar files, potentially impacting CI/CD workflows or file upload features.
Remediation
Immediate Action: Upgrade the node-tar dependency to version 7.5.18 or later to ensure the infinite loop condition is resolved.
Proactive Monitoring: Monitor application logs and system resource usage for processes stuck in a high-CPU state during file extraction or archive processing operations.
Compensating Controls: Implement strict file size and type validation for all incoming archives before passing them to the extraction utility.
Exploitation status
Public Exploit Available: false
Analyst recommendation
This vulnerability should be addressed immediately in all Node.js projects utilizing the node-tar library. Ensure that all dependencies are audited and updated to version 7.5.18 to prevent potential denial-of-service attacks against your infrastructure.