CVE-2026-59875 in node-tar
Summary
by MITRE • 07/08/2026
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in src/pax.ts, allowing a crafted archive with values to reach fs.lstat or fs.open and terminate the process with an uncaught exception. This issue is fixed in version 7.5.17.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/08/2026
The node-tar library presents a critical security vulnerability affecting versions prior to 7.5.17 through improper handling of NUL byte termination in PAX archive records. This flaw exists within the src/pax.ts file where the library fails to sanitize path and linkpath values from PAX headers before passing them to core filesystem operations. The vulnerability stems from insufficient input validation and sanitization mechanisms that allow maliciously crafted tar archives to contain NUL terminated strings in their path records, which then propagate directly into filesystem function calls such as fs.lstat or fs.open.
The technical implementation of this vulnerability exploits the fundamental way PAX format handles extended path information through environment variables stored within archive headers. When node-tar processes these headers without stripping NUL bytes from the parsed values, it creates a scenario where the underlying filesystem APIs receive malformed input that triggers uncaught exceptions during file system operations. This occurs because the Node.js filesystem APIs expect properly terminated strings, and when they encounter NUL bytes embedded within path strings, the operations fail catastrophically rather than gracefully handling the malformed data.
From an operational impact perspective, this vulnerability enables attackers to craft malicious tar archives that can cause arbitrary process termination when the archive is processed by any application using vulnerable versions of node-tar. The attack vector requires only that a victim processes a specially crafted archive file, making it particularly dangerous in automated build systems, deployment pipelines, or any environment where untrusted archive files are decompressed or analyzed. The uncaught exception behavior means that applications relying on node-tar for archive processing can experience complete service disruption without proper error handling.
This vulnerability maps directly to CWE-170, which specifically addresses improper handling of NUL bytes in input strings, and aligns with ATT&CK technique T1203 by enabling process injection through archive manipulation. The flaw represents a classic case of insufficient input sanitization where untrusted data flows directly into critical system operations without proper validation or escaping mechanisms. Organizations using node-tar in production environments must urgently upgrade to version 7.5.17 or later to address this security gap, as the vulnerability has no legitimate use case and only exists as a result of inadequate defensive programming practices in the library's header parsing logic.
The fix implemented in version 7.5.17 addresses this by ensuring that all path and linkpath values extracted from PAX headers undergo proper NUL byte stripping before being passed to filesystem operations, thereby preventing malformed input from reaching the underlying system calls where they would otherwise cause uncaught exceptions and process termination. This remediation approach follows established security best practices for handling untrusted input in system-level operations and aligns with industry standards for secure coding practices in Node.js applications that interact with file systems.