CVE-2026-59874
node-tar: Negative tar entry size causes infinite loop in archive replace
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18.
| CWE | CWE-835 |
| Vendor | isaacs |
| Product | node-tar |
| Published | Jul 8, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for isaacs node-tar
Be the first to know when new unknown vulnerabilities affecting isaacs node-tar are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
isaacs / node-tar
< 7.5.18