Moderate severityNVD Advisory· Published Mar 21, 2024· Updated Feb 13, 2025
node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation
CVE-2024-28863
Description
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
node-tarnpm | < 6.2.1 | 6.2.1 |
tarnpm | < 6.2.1 | 6.2.1 |
Affected products
69- osv-coords68 versionspkg:apk/chainguard/lernapkg:apk/chainguard/nodejs-14pkg:apk/chainguard/npmpkg:apk/chainguard/npm-docpkg:apk/chainguard/opensearch-dashboards-2pkg:apk/chainguard/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-compatpkg:apk/chainguard/opensearch-dashboards-2-configpkg:apk/chainguard/opensearch-dashboards-2-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fipspkg:apk/chainguard/opensearch-dashboards-2-fips-alerting-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-anomaly-detection-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-configpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-mapspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-notificationspkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-observabilitypkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-query-workbenchpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-reportingpkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-search-relevancepkg:apk/chainguard/opensearch-dashboards-2-fips-dashboards-visualizationspkg:apk/chainguard/opensearch-dashboards-2-fips-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-fips-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-fips-security-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/chainguard/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/chainguard/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/chainguard/sqlpadpkg:apk/chainguard/sqlpad-compatpkg:apk/wolfi/lernapkg:apk/wolfi/npmpkg:apk/wolfi/npm-docpkg:apk/wolfi/opensearch-dashboards-2pkg:apk/wolfi/opensearch-dashboards-2-alerting-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-anomaly-detection-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-compatpkg:apk/wolfi/opensearch-dashboards-2-configpkg:apk/wolfi/opensearch-dashboards-2-dashboards-mapspkg:apk/wolfi/opensearch-dashboards-2-dashboards-notificationspkg:apk/wolfi/opensearch-dashboards-2-dashboards-observabilitypkg:apk/wolfi/opensearch-dashboards-2-dashboards-query-workbenchpkg:apk/wolfi/opensearch-dashboards-2-dashboards-reportingpkg:apk/wolfi/opensearch-dashboards-2-dashboards-search-relevancepkg:apk/wolfi/opensearch-dashboards-2-dashboards-visualizationspkg:apk/wolfi/opensearch-dashboards-2-index-management-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-ml-commons-dashboardspkg:apk/wolfi/opensearch-dashboards-2-security-analytics-dashboards-pluginpkg:apk/wolfi/opensearch-dashboards-2-security-dashboards-pluginpkg:apk/wolfi/sqlpadpkg:apk/wolfi/sqlpad-compatpkg:npm/node-tarpkg:npm/tarpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/nodejs-packaging-bundlerpkg:rpm/almalinux/npm
< 8.1.3-r0+ 67 more
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 14.21.3-r1
- (no CPE)range: < 10.5.1-r0
- (no CPE)range: < 10.5.1-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 7.4.1-r3
- (no CPE)range: < 7.4.1-r3
- (no CPE)range: < 8.1.3-r0
- (no CPE)range: < 10.5.1-r0
- (no CPE)range: < 10.5.1-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 2.15.0-r0
- (no CPE)range: < 7.4.1-r3
- (no CPE)range: < 7.4.1-r3
- (no CPE)range: < 6.2.1
- (no CPE)range: < 6.2.1
- (no CPE)range: < 1:20.16.0-1.module_el8.10.0+3882+e12e42db
- (no CPE)range: < 1:20.16.0-1.module_el8.10.0+3882+e12e42db
- (no CPE)range: < 1:20.16.0-1.module_el8.10.0+3882+e12e42db
- (no CPE)range: < 1:20.16.0-1.module_el8.10.0+3882+e12e42db
- (no CPE)range: < 3.0.1-1.module_el8.9.0+3731+490e3ce5
- (no CPE)range: < 2021.06-4.module_el8.9.0+3775+d8460d35
- (no CPE)range: < 2021.06-4.module_el8.9.0+3775+d8460d35
- (no CPE)range: < 1:10.8.1-1.20.16.0.1.module_el8.10.0+3882+e12e42db
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-f5x3-32g6-xq36ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28863ghsaADVISORY
- github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7ghsax_refsource_MISCWEB
- github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36ghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20240524-0005ghsaWEB
- security.netapp.com/advisory/ntap-20240524-0005/mitre
News mentions
0No linked articles in our index yet.