CVE-2026-59874 in node-tarinfo

Summary

by MITRE • 07/08/2026

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/08/2026

The node-tar library presents a significant denial of service vulnerability that affects applications relying on tar archive processing within Node.js environments. This flaw exists in versions prior to 7.5.18 where the tar.replace function fails to properly validate entry sizes in tar headers, creating a condition that can halt archive scanning operations indefinitely. The vulnerability stems from the library's handling of base-256 encoded entry sizes within tar headers, specifically when these values are negative. When a malicious or malformed tar archive contains a header with a negative base-256 encoded size, the parsing logic becomes trapped in an infinite loop as it repeatedly processes the same invalid header without making forward progress through the archive.

The technical implementation of this vulnerability involves the tar header validation mechanism failing to properly interpret negative values in the size field of tar entries. According to common weakness enumeration standards, this represents a weakness categorized under CWE-129 Input Validation and Normalization, specifically involving improper handling of encoded data values that should be validated against expected ranges. The issue manifests when the library's scanner encounters a header where the size field contains negative base-256 encoded values, causing the parsing loop to continue indefinitely without advancing through valid archive entries. This behavior violates fundamental assumptions about tar archive structure and can be exploited by attackers who craft malicious tar files containing such malformed headers.

Operationally, this vulnerability creates a severe denial of service condition that can affect any application using node-tar for processing user-provided or untrusted tar archives. Systems relying on tar extraction, backup operations, or file distribution mechanisms become vulnerable to indefinite hang conditions when processing compromised archives. The impact extends beyond simple resource exhaustion as the affected processes consume CPU cycles without making progress, potentially leading to service degradation or complete application unresponsiveness. From an attack perspective, this vulnerability aligns with ATT&CK technique T1499.004 Network Denial of Service where adversaries can craft inputs that cause services to become unresponsive through resource exhaustion or loop conditions. The vulnerability particularly affects applications that handle file uploads, automated backup systems, or any service processing external tar archives without proper input sanitization.

The fix implemented in version 7.5.18 addresses this issue by enhancing the validation logic for entry sizes within tar headers, ensuring that negative base-256 encoded values are properly rejected or handled rather than causing parsing loops. This remediation follows security best practices established in industry standards such as those outlined in the OWASP Top Ten and NIST cybersecurity guidelines, which emphasize the importance of input validation and proper error handling to prevent denial of service conditions. Organizations should immediately upgrade to version 7.5.18 or later to mitigate this vulnerability and ensure continued system availability. Additionally, implementing additional defensive measures such as timeout mechanisms for archive processing operations and runtime monitoring for abnormal CPU usage patterns can provide further protection against similar vulnerabilities in other components of the software stack.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!