You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
CVE-2024-28863 - Medium Severity Vulnerability
Vulnerable Libraries - tar-2.2.2.tgz, tar-4.4.13.tgz, tar-6.0.2.tgz, tar-4.4.2.tgz
tar-2.2.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz
Path to dependency file: /node_modules/tar/package.json
Path to vulnerable library: /node_modules/tar/package.json
Dependency Hierarchy:
tar-4.4.13.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.13.tgz
Path to dependency file: /node_modules/tar/package.json
Path to vulnerable library: /node_modules/tar/package.json
Dependency Hierarchy:
tar-6.0.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.0.2.tgz
Path to dependency file: /node_modules/tar/package.json
Path to vulnerable library: /node_modules/tar/package.json
Dependency Hierarchy:
tar-4.4.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.2.tgz
Path to dependency file: /node_modules/tar/package.json
Path to vulnerable library: /node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: ca255a4489b5c937cfb850ddee46dc5b8c99d85e
Found in base branch: master
Vulnerability Details
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
The text was updated successfully, but these errors were encountered: