CVE-2026-59871 in node-tar
Summary
by MITRE • 07/08/2026
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handling such as normalizeWindowsPath(entry.path).split('/') to throw an uncaught TypeError. This issue is fixed in version 7.5.18.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/08/2026
The node-tar library represents a critical vulnerability in the Node.js ecosystem that demonstrates how seemingly minor type coercion issues can lead to significant security implications. This vulnerability specifically affects versions prior to 7.5.18 and stems from improper handling of numeric values within PAX archive metadata. The flaw occurs in the src/pax.ts file where all-digit PAX path and linkpath values are automatically coerced into JavaScript numbers without proper validation or sanitization. When these numeric values subsequently pass through downstream processing functions like normalizeWindowsPath(entry.path).split('/'), the code encounters a type mismatch that results in an uncaught TypeError exception.
The technical execution of this vulnerability involves the manipulation of archive metadata during tar file parsing operations. PAX format entries contain metadata fields such as path and linkpath that may contain numeric values representing file locations or symbolic links. When node-tar processes these entries, it performs automatic type coercion that transforms legitimate numeric strings into JavaScript numbers. This transformation creates a cascading issue where subsequent string manipulation functions expect string inputs but receive numeric types, causing the split() method to fail since numeric values cannot be directly split using string delimiters.
This vulnerability directly impacts system availability and can be exploited in denial-of-service scenarios within applications that rely on node-tar for archive processing. The uncaught TypeError exception terminates application execution flow, potentially affecting web applications, build systems, or automated deployment pipelines that depend on tar archive manipulation. From a cybersecurity perspective, this represents a privilege escalation vector since attackers can craft malicious tar archives containing specially formatted PAX entries that will cause the target application to crash when attempting to process them. The vulnerability maps to CWE-192 which describes "Incorrect Conversion of Numeric Data Types" and also relates to CWE-476 which covers "Null Pointer Dereference" scenarios that can occur due to improper type handling.
The operational impact extends beyond simple application crashes to encompass broader system stability concerns within software supply chains. Applications using node-tar for deployment automation, backup systems, or container image processing could experience unexpected downtime when encountering maliciously crafted archives. This vulnerability particularly affects CI/CD pipelines where automated builds process tar files from untrusted sources, creating potential attack vectors for remote code execution through indirect exploitation pathways. Organizations implementing security controls should consider this vulnerability as part of their software supply chain risk management strategy.
Mitigation strategies include immediate upgrading to node-tar version 7.5.18 or later, which implements proper type validation and prevents the automatic coercion of PAX path values into numeric types. Additional defensive measures involve implementing input sanitization at multiple layers including validating archive metadata before processing, using try-catch blocks around archive operations to handle potential type conversion errors gracefully, and establishing monitoring for uncaught exceptions in applications that process tar files. Security teams should also consider implementing automated vulnerability scanning tools that can detect the presence of vulnerable node-tar versions within container images and application deployments. The ATT&CK framework categorizes this as a Software Supply Chain Attack vector under T1195.002 which covers "Compromise Software Dependencies and Development Tools" and represents a common exploitation pattern where attackers target widely used libraries to gain broader system access through indirect means rather than direct attack vectors.