CVE-2026-59875
Received Received - Intake

Path Traversal in Node.js node-tar Library

Vulnerability report for CVE-2026-59875, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in src/pax.ts, allowing a crafted archive with values to reach fs.lstat or fs.open and terminate the process with an uncaught exception. This issue is fixed in version 7.5.17.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
isaacs node-tar to 7.5.17 (exc)
isaacs node-tar 7.5.17
nodejs node-tar to 7.5.17 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-59875 is a denial-of-service vulnerability in the node-tar package that allows remote attackers to cause process termination by exploiting improper handling of NUL bytes in PAX headers. This vulnerability can disrupt systems processing untrusted tarballs, such as npm registries, CI/CD pipelines, and cloud functions.

While the vulnerability causes availability issues due to denial-of-service, there is no indication from the provided information that it leads to unauthorized access, data leakage, or modification of sensitive data.

Therefore, based on the available information, this vulnerability primarily impacts system availability but does not directly affect confidentiality or integrity controls that are typically emphasized in standards like GDPR or HIPAA.

Organizations relying on node-tar in their processing pipelines should consider the risk of service disruption but there is no explicit mention of compliance violations related to data protection regulations in the provided resources.

Executive Summary

CVE-2026-59875 is a denial-of-service vulnerability in the node-tar package, which is used for manipulating tar archives in Node.js. The issue occurs because node-tar does not properly strip NUL bytes from PAX path and linkpath records. Attackers can craft tar archives with NUL bytes embedded in filenames, which causes Node.js core functions like fs.lstat() and fs.open() to throw an ERR_INVALID_ARG_VALUE error. This error triggers an uncaught exception that terminates the process, leading to a denial-of-service.

The vulnerability bypasses normal error handling because the exception happens inside Node.js's internal asynchronous operations, outside of user-controlled try-catch blocks. Additionally, node-tar's handling of NUL bytes differs from other tools, allowing attackers to bypass pre-extraction validation by exploiting parser differences.

This issue was fixed in node-tar version 7.5.17 by modifying the code to strip NUL bytes from PAX header values, similar to how GNU headers are handled.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) condition on any system that processes untrusted tar archives using node-tar versions 7.5.16 and earlier. An attacker can craft malicious tarballs that cause the Node.js process to terminate unexpectedly due to uncaught exceptions.

  • Disruption of services that rely on node-tar for archive extraction, such as npm registries.
  • Interruption of CI/CD pipelines that use node-tar to handle tar archives.
  • Potential downtime or failure in cloud functions or other automated systems processing tar files.
Detection Guidance

This vulnerability arises when processing crafted tar archives containing NUL bytes in PAX path and linkpath records, which cause Node.js functions like fs.lstat() or fs.open() to throw uncaught exceptions and terminate the process.

Detection involves monitoring for unexpected process terminations or crashes related to node-tar when handling tar archives, especially those from untrusted sources.

Since the vulnerability triggers uncaught exceptions during tar extraction, you can detect it by running node-tar extraction commands on suspicious tarballs and observing if the process terminates unexpectedly.

No specific detection commands are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade the node-tar package to version 7.5.17 or later, where the vulnerability is fixed by stripping NUL bytes from PAX header values.

Until the upgrade is applied, avoid processing untrusted tar archives with vulnerable versions of node-tar to prevent denial-of-service attacks.

Additionally, implement monitoring to detect unexpected process terminations during tar extraction and consider sandboxing or isolating processes that handle tar archives.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59875. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart