CVE-2026-59873
Received Received - Intake

Path Traversal in Node.js node-tar Library

Vulnerability report for CVE-2026-59873, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk space and CPU. This issue is fixed in version 7.5.19.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
isaacs node-tar to 7.5.19 (exc)
node-tar node-tar to 7.5.19 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59873 is a critical Denial of Service (DoS) vulnerability in the node-tar library, which is used for manipulating tar archives in Node.js. The vulnerability exists because versions prior to 7.5.19 do not enforce strict limits on the total decompressed data size, the number of entries, or the decompression ratio during extraction. An attacker can exploit this by crafting a malicious tar archive that appears small but decompresses into a very large amount of data, exhausting disk space and CPU resources.

Specifically, the attacker can create a tar archive with headers claiming huge file sizes and highly compressible data (like zeros). When node-tar extracts this archive, it will continue decompressing and writing data until the disk is full, causing system failure. This vulnerability requires no privileges or user interaction and can be triggered easily.

Impact Analysis

This vulnerability can lead to a Denial of Service (DoS) condition by exhausting disk space and CPU resources on the affected system. If you use node-tar to process untrusted tar archives, an attacker can cause your system to rapidly consume all available disk space and CPU, potentially crashing applications or the entire system.

Such an impact can disrupt services that rely on node-tar, including npm registries, CI/CD pipelines, or file-sharing platforms, leading to downtime and loss of availability.

Detection Guidance

This vulnerability involves the node-tar library decompressing maliciously crafted archives that cause excessive disk and CPU usage. Detection can focus on monitoring unusual disk space consumption and CPU spikes during archive extraction processes.

Specifically, you can monitor processes that use node-tar for extracting TAR archives and look for rapid growth in disk usage or unusually high CPU load.

While no specific commands are provided in the resources, general detection commands could include:

  • Use system monitoring tools like `top` or `htop` to observe CPU usage spikes.
  • Use `df -h` or `du -sh` on directories where archives are extracted to detect sudden disk space exhaustion.
  • Monitor logs or processes that invoke node-tar for unusually large or long-running extraction tasks.

Additionally, if you have access to the node-tar extraction code, enabling or checking for the `maxDecompressionRatio` option (introduced in the patch) can help detect or prevent decompression bombs by aborting extraction when the decompression ratio is exceeded.

Mitigation Strategies

The primary mitigation step is to upgrade the node-tar library to version 7.5.19 or later, where this vulnerability is fixed.

This update introduces a security feature called `maxDecompressionRatio` which enforces limits on the ratio of decompressed data to compressed data, preventing decompression bombs from exhausting system resources.

If upgrading immediately is not possible, consider implementing resource limits on processes that perform archive extraction, such as limiting CPU and disk usage via operating system controls or container resource limits.

Also, avoid processing untrusted or unauthenticated TAR archives with vulnerable versions of node-tar.

Compliance Impact

The vulnerability in node-tar allows an attacker to exhaust disk space and CPU resources by exploiting the lack of limits on decompressed data size and entry counts. This can lead to denial of service and system-wide failures.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, such a denial of service could impact the availability of systems processing untrusted archives, which is a key aspect of many security frameworks.

Organizations subject to regulations requiring high availability and protection against resource exhaustion attacks may find this vulnerability relevant to their compliance posture, as it could cause service disruptions affecting regulated data processing.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart