You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
CVE-2024-28863 - Medium Severity Vulnerability
Vulnerable Libraries - tar-2.2.2.tgz, tar-6.1.8.tgz, tar-4.4.17.tgz
tar-2.2.2.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-gyp/node_modules/tar/package.json
Dependency Hierarchy:
tar-6.1.8.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-6.1.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tar/package.json,/frontend/node_modules/tar/package.json
Dependency Hierarchy:
tar-4.4.17.tgz
tar for node
Library home page: https://registry.npmjs.org/tar/-/tar-4.4.17.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/node-pre-gyp/node_modules/tar/package.json,/node_modules/sqlite3/node_modules/tar/package.json
Dependency Hierarchy:
Found in HEAD commit: ba236fd18ec3e6450d68d675bce1609d2e5d3230
Found in base branch: main
Vulnerability Details
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Publish Date: 2024-03-21
URL: CVE-2024-28863
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-f5x3-32g6-xq36
Release Date: 2024-03-21
Fix Resolution: tar - 6.2.1
The text was updated successfully, but these errors were encountered: