CVE-2026-59871
Received Received - Intake

Path Traversal in Node.js node-tar Library

Vulnerability report for CVE-2026-59871, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handling such as normalizeWindowsPath(entry.path).split('/') to throw an uncaught TypeError. This issue is fixed in version 7.5.18.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
isaacs node-tar 7.5.18
node-tar node-tar to 7.5.18 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-704 The product does not correctly convert an object, resource, or structure from one type to a different type.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can cause any Node.js process using the node-tar library to crash when extracting specially crafted tar archives containing all-digit PAX path values. The crash is a synchronous TypeError that bypasses all error handling mechanisms, leading to a denial of service.

  • Applications that extract untrusted tar archives, such as npm, CI/CD pipelines, file upload processors, and backup tools, are vulnerable.
  • The impact is a loss of availability due to process crashes, which can disrupt automated workflows and services relying on tar extraction.

The vulnerability has a moderate severity with a CVSS score of 5.3, requiring no privileges or user interaction to exploit.

Executive Summary

The vulnerability CVE-2026-59871 exists in the node-tar library, which is used for manipulating tar archives in Node.js. Prior to version 7.5.18, the library incorrectly converts all-digit PAX path and linkpath values into JavaScript numbers instead of treating them as strings. This causes downstream functions, such as normalizeWindowsPath(entry.path).split('/'), to throw an uncaught TypeError because numbers do not have a split method. This type confusion leads to crashes when extracting certain tar archives.

The issue arises from the parseKV function converting numeric-looking PAX header values using the unary plus operator, which causes the type mismatch. The fix in version 7.5.18 introduces a strict allowed list of known types for PAX header values and ensures paths are explicitly cast to strings, preventing these crashes.

Detection Guidance

This vulnerability can be detected by identifying if your system or application uses a vulnerable version of the node-tar library prior to 7.5.18.

Specifically, detection involves checking for the presence of node-tar versions that improperly parse PAX headers containing all-digit path or linkpath values, which cause crashes during extraction.

You can detect vulnerable versions by running commands to check the installed version of node-tar in your environment.

  • Run `npm ls node-tar` in your Node.js project directory to see the installed version of node-tar.
  • Use `grep` or similar tools to scan your codebase or dependencies for usage of node-tar versions prior to 7.5.18.

Additionally, monitoring logs or crash reports for uncaught TypeErrors related to `.split('/')` on numeric values during tar extraction can indicate exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade the node-tar library to version 7.5.18 or later, where the vulnerability is fixed.

This update includes a fix that enforces strict type handling of PAX header values and prevents the crash caused by numeric path values.

If upgrading immediately is not possible, avoid extracting untrusted or potentially malicious tar archives that may contain crafted PAX headers with all-digit path values.

Implement additional input validation or sandboxing around tar extraction processes to limit the impact of potential crashes.

Compliance Impact

The vulnerability in node-tar causes a denial of service by crashing Node.js processes that extract crafted tar archives. This can impact availability of services that rely on node-tar for file extraction, such as npm, CI/CD pipelines, file upload processors, and backup tools.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the denial of service and potential disruption of availability could indirectly affect compliance, as these regulations require maintaining availability and integrity of data processing systems.

However, there is no direct information provided about data confidentiality or privacy breaches related to this vulnerability, so its impact on compliance with data protection regulations is limited to availability concerns.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59871. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart