node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in src/pax.ts, allowing a crafted archive with values to reach fs.lstat or fs.open and terminate the process with an uncaught exception. This issue is fixed in version 7.5.17.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 09:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Isaacs
Isaacs tar |
|
| Vendors & Products |
Isaacs
Isaacs tar |
Fri, 10 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-170 | |
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Thu, 09 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 08 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.17, node-tar does not strip NUL bytes from PAX path and linkpath records in src/pax.ts, allowing a crafted archive with values to reach fs.lstat or fs.open and terminate the process with an uncaught exception. This issue is fixed in version 7.5.17. | |
| Title | node-tar: Uncaught Exception DoS via NUL byte in PAX path/linkpath records | |
| Weaknesses | CWE-248 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-07-08T15:20:29.997Z
Updated: 2026-07-09T13:45:44.160Z
Reserved: 2026-07-07T15:41:53.607Z
Link: CVE-2026-59875
Updated: 2026-07-09T13:44:17.889Z
No data.