CVE-2024-28863 — Uncontrolled Resource Consumption in Node-tar

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation of Resources Without Limits or Throttling8 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.6%

top 29.17%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Isaacs Node-tar Isaacs TAR GNU TAR

Timeline

PublishedMar 21

Latest updateMar 22

Description

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶CVEListV5isaacs/node-tar< 6.2.1

▶npmisaacs/node-tar< 6.2.1

▶Debianisaacs/node-tar< 6.1.13+~cs7.0.5-2+1

▶npmgnu/tar< 6.2.1

▶NVDisaacs/tar< 6.2.1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Denial of service while parsing a tar file due to lack of folders count validation↗2024-03-22

▶

GHSA

Denial of service while parsing a tar file due to lack of folders count validation↗2024-03-22

▶

CVEList

node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation↗2024-03-21

▶

OSV

CVE-2024-28863: node-tar is a Tar for Node↗2024-03-21

▶

📋Vendor Advisories

Red Hat

node-tar: denial of service while parsing a tar file due to lack of folders depth validation↗2024-03-21

▶

Microsoft

node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation↗2024-03-12

▶

Debian

CVE-2024-28863: node-tar - node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on t...↗2024

▶