Node.js Library Vulnerability in Tar Archive Manipulation by Isaac's Company
CVE-2026-59874

8.7HIGH

Key Information:

Vendor

Isaacs

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59874?

The node-tar library, utilized for managing tar archives in Node.js applications, contains a vulnerability where the tar.replace function mishandles checksum-valid tar headers that contain negative base-256 encoded entry sizes. This flaw leads to a cycle where the archive scanner fails to progress as it continuously attempts to parse the same header, significantly impacting performance and potentially leading to application freezes. It is essential for developers relying on node-tar to update to version 7.5.18 or later to mitigate this issue.

Affected Version(s)

node-tar < 7.5.18

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.