tlder@devnode-tar 7.5.18 patches an 8.7-severity infinite-loop DoS
tlder@dev:~$
Security/CVEs/Advisories

node-tar 7.5.18 patches an 8.7-severity infinite-loop DoS

  • Shipped
  • Action required
  • High importance

The headline bug, CVE-2026-59874, sits in tar.replace: hand it a checksum-valid header whose entry size is a negative base-256 value and the archive scanner stops making progress, parsing the same header forever. It scores 8.7 — high — because the library underpins npm itself and ships in a large slice of the Node ecosystem, so anything that accepts an untrusted archive is in range. Two smaller issues rode along in the same release. CVE-2026-59871 crashes the process when a PAX header carries an all-digit path that the parser coerces to a number and then tries to split; a third advisory covers a PAX size-override parser differential. Upgrade to 7.5.18 if you extract or rewrite tarballs you didn't create — the maintainer folded all three fixes into one release, so there's nothing to cherry-pick.