Node.js Library Vulnerability in Tar Archive Manipulation by Isaac's Company
CVE-2026-59874
8.7HIGH
What is CVE-2026-59874?
The node-tar library, utilized for managing tar archives in Node.js applications, contains a vulnerability where the tar.replace function mishandles checksum-valid tar headers that contain negative base-256 encoded entry sizes. This flaw leads to a cycle where the archive scanner fails to progress as it continuously attempts to parse the same header, significantly impacting performance and potentially leading to application freezes. It is essential for developers relying on node-tar to update to version 7.5.18 or later to mitigate this issue.
Affected Version(s)
node-tar < 7.5.18
