Lucene search
K

379 matches found

RedhatCVE
RedhatCVE
added 4 days ago6 views

CVE-2026-59874

A flaw was found in node-tar, a tar archive manipulation library for Node.js. A remote attacker could exploit this vulnerability by providing a specially crafted tar archive with a negative entry size in its header. This malformed header causes the archive scanner to enter an infinite loop,...

8.7CVSS5.8AI score0.00358EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 4 days ago5 views

CVE-2026-59875

A flaw was found in node-tar, a library for manipulating tar archives in Node.js. A remote attacker could craft a malicious archive containing null characters NUL bytes in its metadata. When this archive is processed, the unstripped null characters can cause the application to terminate...

5.3CVSS5.9AI score0.00291EPSS
Exploits0References6
RedhatCVE
RedhatCVE
added 4 days ago6 views

CVE-2026-59873

A flaw was found in node-tar, a tar archive manipulation library for Node.js. This vulnerability allows a remote attacker to craft a small gzip bomb, which, when processed, can lead to the exhaustion of disk space and CPU resources. This occurs because node-tar does not enforce strict limits on t...

9.2CVSS5.8AI score0.00358EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 4 days ago5 views

CVE-2026-59871

A flaw was found in node-tar, a library for manipulating tar archives in Node.js. This vulnerability occurs when the library incorrectly converts specific archive path values into numbers, leading to an error during subsequent path processing. An attacker could exploit this to cause the applicati...

7.5CVSS5.9AI score0.00358EPSS
Exploits1References6
RedhatCVE
RedhatCVE
added 4 days ago7 views

CVE-2026-53655

A flaw was found in node-tar. This vulnerability arises because node-tar incorrectly applies PAX extended header size records to subsequent intermediary metadata headers, leading to a desynchronization of the tar stream cursor compared to other standard tar implementations. A remote attacker coul...

6.9CVSS5.9AI score0.00107EPSS
Exploits1References4
NVD
NVD
added 5 days ago10 views

CVE-2026-59875

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in src/pax.ts, allowing a crafted archive with values to reach fs.lstat or fs.open and terminate the process with an uncaught exception. This issue is...

5.3CVSS0.00291EPSS
Exploits0References3
NVD
NVD
added 5 days ago15 views

CVE-2026-59871

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handling such as normalizeWindowsPathentry.path.split'/' to throw an uncaught TypeError. This issue is...

7.5CVSS0.00358EPSS
Exploits1References3
NVD
NVD
added 5 days ago9 views

CVE-2026-59873

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk spac...

9.2CVSS0.00358EPSS
Exploits1References3
CVE
CVE
added 5 days ago9 views

CVE-2026-59871

CVE-2026-59871 affects the node-tar library for Node.js. Prior to version 7.5.18, node-tar coerces all-digit PAX path and linkpath values to JavaScript numbers in src/pax.ts, causing downstream path handling (e.g., normalizeWindowsPath(entry.path).split('/')) to throw an uncaught TypeError. Red H...

7.5CVSS5.9AI score0.00358EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-59871 node-tar: Process crash via PAX numeric path type confusion

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handling such as normalizeWindowsPathentry.path.split'/' to throw an uncaught TypeError. This issue is...

5.3CVSS0.00358EPSS
Exploits1References3
EUVD
EUVD
added 5 days ago5 views

EUVD-2026-42308

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handling such as normalizeWindowsPathentry.path.split'/' to throw an uncaught TypeError. This issue is...

5.3CVSS5.9AI score0.00358EPSS
Exploits1References3
CVE
CVE
added 5 days ago10 views

CVE-2026-59874

node-tar is a Node.js tar archive library. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to loop on the same header and make no progress; this is fixed in version 7.5.18. Upgrade to 7.5.18 to remediate. Th...

8.7CVSS5.9AI score0.00358EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-59874 node-tar: Negative tar entry size causes infinite loop in archive replace

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18...

8.7CVSS0.00358EPSS
Exploits1References3
Debian CVE
Debian CVE
added 5 days ago4 views

CVE-2026-59874

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18...

8.7CVSS5.9AI score0.00358EPSS
Exploits1
CVE
CVE
added 5 days ago16 views

CVE-2026-59873

CVE-2026-59873 affects node-tar (Node.js) prior to v7.5.19. The issue arises because the library did not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction/parsing code (e.g., src/extract.ts), enabling a crafted gzip input to cause resource ex...

9.2CVSS5.9AI score0.00358EPSS
Exploits1References3Affected Software1
Cvelist
Cvelist
added 5 days ago36 views

CVE-2026-59873 node-tar: Decompression/parse DoS via unlimited input

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk spac...

9.2CVSS0.00358EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 5 days ago5 views

CVE-2026-59873

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk spac...

9.2CVSS5.9AI score0.00358EPSS
Exploits1References4Affected Software1
Debian CVE
Debian CVE
added 5 days ago6 views

CVE-2026-59873

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk spac...

9.2CVSS5.9AI score0.00358EPSS
Exploits1
EUVD
EUVD
added 5 days ago5 views

EUVD-2026-42305

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk spac...

9.2CVSS5.9AI score0.00358EPSS
Exploits1References3
CVE
CVE
added 5 days ago9 views

CVE-2026-59875

CVE-2026-59875 affects the Node.js tar library node-tar prior to 7.5.17. The root cause is that NUL bytes are not stripped from PAX path and linkpath records in src/pax.ts, which can allow a crafted archive to reach fs.lstat or fs.open and terminate the process with an uncaught exception. The iss...

5.3CVSS5.9AI score0.00291EPSS
Exploits0References3
Rows per page
Query Builder