CVE-2026-59873
node-tar: Decompression/parse DoS via unlimited input
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.19, node-tar does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths such as src/extract.ts, allowing a small crafted gzip bomb to exhaust disk space and CPU. This issue is fixed in version 7.5.19.
| CWE | CWE-770 |
| Vendor | isaacs |
| Product | node-tar |
| Published | Jul 8, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for isaacs node-tar
Be the first to know when new unknown vulnerabilities affecting isaacs node-tar are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
isaacs / node-tar
< 7.5.19