Node.js Library Vulnerability in node-tar Affecting Multiple Versions
CVE-2026-59873

9.2CRITICAL

Key Information:

Vendor

Isaacs

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59873?

The node-tar library for Node.js, used for manipulating tar archives, has a vulnerability that allows a specially crafted gzip file to consume excessive disk space and CPU resources. Prior to version 7.5.19, the library lacked restrictions on the total amount of decompressed data, the number of entries, and decompression ratios during extraction and parsing processes. This flaw can potentially lead to resource exhaustion, making systems vulnerable to denial-of-service attacks. Users are encouraged to upgrade to version 7.5.19 or later to mitigate this issue.

Affected Version(s)

node-tar < 7.5.19

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.