Medium severity - Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability in tar (package.json)

[github-actions]

• Package Manager: npm
• Vulnerable module: tar
• Introduced through: juice-shop@12.3.0, sqlite3@5.0.2 and others

Detailed paths

• Introduced through: juice-shop@12.3.0 › sqlite3@5.0.2 › node-gyp@3.8.0 › tar@2.2.2
• Introduced through: juice-shop@12.3.0 › libxmljs2@0.26.7 › @mapbox/node-pre-gyp@1.0.8 › tar@6.1.11
• Introduced through: juice-shop@12.3.0 › node-pre-gyp@0.15.0 › tar@4.4.19
• Introduced through: juice-shop@12.3.0 › sqlite3@5.0.2 › node-pre-gyp@0.11.0 › tar@4.4.19

Overview

tar is a full-featured Tar for Node.js.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the lack of folders count validation during the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running the software and even crash the client within few seconds of running it using a path with too many sub-folders inside.

Remediation

Upgrade tar to version 6.2.1 or higher.

References

• GitHub Commit
  
  SNYK-JS-TAR-6476909
  (CVE-2024-28863) tar@2.2.2