CVE-2026-59873 in node-tarinfo

Summary

by MITRE • 07/08/2026

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk space and CPU. This issue is fixed in version 7.5.19.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/08/2026

The node-tar library represents a critical vulnerability in Node.js applications that handle tar archive extraction operations. This flaw exists in versions prior to 7.5.19 where the library fails to implement proper safeguards against maliciously crafted archives that can cause resource exhaustion attacks. The vulnerability stems from insufficient validation mechanisms during the decompression process, particularly within the extraction and parsing components located in src/extract.ts. Attackers can exploit this weakness by creating small gzip bomb archives that, when processed by vulnerable node-tar versions, trigger excessive memory consumption and disk space depletion.

The technical implementation of this vulnerability allows for unlimited expansion of compressed data during extraction operations without enforcing reasonable limits on decompressed content size or entry count. This behavior creates a scenario where a maliciously constructed archive can rapidly consume available system resources, leading to denial of service conditions that affect not only the targeted application but potentially the entire system hosting it. The lack of upper bounds enforcement means that even relatively small archive files can trigger massive resource consumption during decompression operations.

From an operational perspective, this vulnerability poses significant risks to applications that process untrusted tar archives from external sources or user uploads. Systems relying on node-tar for package installation, backup restoration, or file distribution processes become vulnerable to resource exhaustion attacks that can render services unavailable or cause system instability. The impact extends beyond simple service disruption as attackers can potentially exhaust disk space completely, leading to system crashes or data loss scenarios.

The vulnerability aligns with CWE-400 which catalogs weaknesses related to resource exhaustion and improper input validation in software systems. It also maps to several ATT&CK techniques including T1499.004 for network denial of service and T1059.007 for command and scripting interpreter usage that could be leveraged in exploitation chains. Organizations using node-tar in production environments should prioritize immediate patching to version 7.5.19 or later, while also implementing additional monitoring for unusual resource consumption patterns during archive processing operations.

Mitigation strategies include not only applying the patched version but also implementing additional protective measures such as setting explicit limits on decompressed data size and entry counts within application code that utilizes node-tar. Network-level firewalls and intrusion detection systems should be configured to monitor for suspicious archive extraction activities, while system administrators should establish resource monitoring alerts for processes handling tar archives. Regular security audits of Node.js applications should include verification of node-tar version compliance and implementation of proper input validation controls to prevent exploitation of similar vulnerabilities in other libraries that may process compressed data.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!