VYPR
patchPublished Jul 9, 2026· Updated Jul 13, 2026· 1 source

Node Tar: Four Archive Handling Flaws Patched in Same-Day Disclosure

Key findings • Four vulnerabilities in Node Tar disclosed on July 9, 2026, affecting archive parsing and extraction. • Issues include NUL byte handling, negative entry sizes, and resource exh…

Key findings

  • Four vulnerabilities in Node Tar disclosed on July 9, 2026, affecting archive parsing and extraction.
  • Issues include NUL byte handling, negative entry sizes, and resource exhaustion via crafted archives.
  • Patches are available in Node Tar versions 7.5.17, 7.5.18, and 7.5.19.
  • Vulnerabilities could lead to process termination or denial-of-service conditions.

On July 9, 2026, a batch of four vulnerabilities was disclosed in the Node Tar library, a tar archive manipulation library for Node.js. These vulnerabilities, all patched in various versions of the library, highlight potential issues in handling crafted archive data, including NUL bytes, negative entry sizes, and excessive decompression.

The vulnerabilities include:

  • CVE-2026-59875: This vulnerability in src/pax.ts involves a failure to strip NUL bytes from PAX path and linkpath records. A specially crafted archive could lead to an uncaught exception when interacting with fs.lstat or fs.open, potentially terminating the Node.js process. This issue is addressed in version 7.5.17.
  • CVE-2026-59874: Affecting the tar.replace functionality, this flaw allows a tar archive with a negative base-256 encoded entry size to be parsed. The scanner would make no progress, repeatedly parsing the same header. Version 7.5.18 resolves this problem.
  • CVE-2026-59873: This vulnerability relates to extraction and parsing paths, such as src/extract.ts. Node Tar did not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratios. A crafted gzip bomb could exploit this to exhaust disk space and CPU resources. The fix is included in version 7.5.19.
  • CVE-2026-59871: In src/pax.ts, all-digit PAX path and linkpath values were coerced into JavaScript numbers. This led to downstream path handling functions, like normalizeWindowsPath(entry.path).split('/'), throwing an uncaught TypeError. Version 7.5.18 corrects this behavior.

All reported vulnerabilities were fixed in subsequent versions of the Node Tar library, with patches available in versions 7.5.17, 7.5.18, and 7.5.19. Users are advised to update to the latest available version to mitigate these risks. The timely disclosure and patching of these issues by the maintainers aim to protect Node.js applications relying on the Node Tar library from potential denial-of-service or unhandled exception scenarios.

This batch of disclosures underscores the importance of robust input validation and resource management within libraries that handle external data formats like tar archives. Developers using Node Tar should ensure their applications are updated to the patched versions to prevent potential disruptions caused by maliciously crafted archives. The fixes address specific parsing and extraction logic flaws, reinforcing the security posture of the Node.js ecosystem.

Synthesized by Vypr AI