CVE-2026-59874
Received Received - Intake

Tar Archive Parser Denial of Service via Negative Entry Size in node-tar

Vulnerability report for CVE-2026-59874, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
isaacs node-tar to 7.5.18 (exc)
isaacs node-tar to 7.5.17 (exc)
node-tar node-tar to 7.5.18 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-59874 is a vulnerability in the npm package node-tar (versions up to 7.5.17) that allows an attacker to cause an infinite loop in the tar.replace() function.

This happens when a tar archive contains a header with a negative base-256 encoded entry size that is still checksum-valid. The tar.replace() function scans the existing archive before appending replacement entries by parsing each tar header and advancing the archive position by the parsed entry size rounded to a 512-byte block boundary.

A crafted header can encode the entry size as -512, causing the scanner to repeatedly parse the same header without making progress, leading to an infinite loop.

This infinite loop consumes a worker process indefinitely, resulting in a denial of service.

Impact Analysis

This vulnerability can cause a denial of service by making the tar.replace() function enter an infinite loop when processing a maliciously crafted tar archive.

The infinite loop consumes system resources indefinitely, potentially causing worker processes to hang and making the application or service using node-tar unresponsive.

This impact occurs without requiring extraction or triggering exceptions, and it can be exploited if an attacker controls the archive file being processed.

Detection Guidance

This vulnerability occurs when the tar.replace() function processes a tar archive containing a checksum-valid header with a negative base-256 encoded entry size, causing an infinite loop. Detection involves identifying tar archives with such crafted headers.

Since the issue is triggered by a negative entry size in tar headers, you can detect potentially malicious archives by inspecting tar headers for negative or suspiciously encoded sizes.

There are no specific commands provided in the resources, but a general approach could be to use a script or tool to parse tar headers and check for negative or invalid size fields before processing them with node-tar.

Mitigation Strategies

The primary mitigation step is to upgrade the node-tar package to version 7.5.18 or later, where this vulnerability is fixed.

The fix includes validation to reject negative size values in tar headers, preventing the infinite loop condition.

Avoid processing untrusted or attacker-controlled tar archives with vulnerable versions of node-tar until the upgrade is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59874. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart