CVE-2026-59873
HIGHnode-tar: Decompression/parse DoS via unlimited input
Title source: cnaDescription
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk space and CPU. This issue is fixed in version 7.5.19.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/isaacs/node-tar/security/advisories/GHSA-23hp-3jrh-7fpw
X_Refsource_Misc x_refsource_misc
https://github.com/isaacs/node-tar/commit/2812e9338665659b183aa7226518c307044957d3
X_Refsource_Misc x_refsource_misc
https://github.com/isaacs/node-tar/releases/tag/v7.5.19
Scores
CVSS v3
7.5
EPSS
0.0036
EPSS Percentile
28.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
isaacs/node-tar
< 7.5.19
isaacs/tar
< 7.5.19
Published
Jul 08, 2026
Tracked Since
Jul 08, 2026