CVE-2026-59873

Severity CVSS v4.0:
CRITICAL
Type:
Unavailable / Other
Publication date:
08/07/2026
Last modified:
10/07/2026

Description

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk space and CPU. This issue is fixed in version 7.5.19.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:isaacs:tar:*:*:*:*:*:node.js:*:* 7.5.19 (excluding)