External risk intelligence

node-tar Archive Extraction Denial of Service Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-59873

The vulnerability exists in a software library used for archive manipulation. While such libraries may be used in internet-facing applications, they are typically internal components within a development framework rather than exposed, internet-facing services or gateways themselves. Public exposure is not a default or common deployment pattern for this library.

Isaacs Tar

before 7.5.19

Halo Surface Signal: 2 out of 5 — less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the node-tar library could allow a specially crafted archive file to consume excessive disk space and processing power, potentially leading to denial of service. This issue affects the extraction and parsing capabilities of the library.

  • Crafted archives can overwhelm systems.
  • Prevents denial of service on systems.
  • Confirm relevance and exposure of library.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending a specially crafted archive file. If the application uses the vulnerable library to process this archive, it may fail to limit the decompressed data size. This could lead to the application consuming all available disk space and CPU resources, causing a denial of service.

  • No special access required.
  • Triggered by archive processing.
  • Risk of resource exhaustion.

Live Threat

Current exploitation, exposure, and threat context

A specially crafted gzip bomb could exhaust disk space and CPU resources on a system processing tar archives. This could occur when the `node-tar` library, used for archive manipulation in Node.js applications, is parsing or extracting archives without proper upper bounds on decompressed data.

  • System disk space and CPU.
  • Crafted gzip bomb processed.
  • Denial of service to the application.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in `node-tar` affects applications that handle archive decompression. Application owners, platform teams, and security teams should collaborate to identify and mitigate this risk, prioritizing systems processing untrusted archives. The initial step involves an inventory of where `node-tar` is utilized, assessing potential exposure, and then planning for remediation during planned maintenance windows.

  • Application owners should manage this issue.
  • Verify systems processing untrusted archives.
  • Plan for remediation in maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is node-tar and why is it used?

node-tar is a foundational library for the Node.js ecosystem, commonly used by developers to programmatically create, read, and extract tar archives. It acts as a low-level utility that handles the complexities of file system packaging, making it a frequent dependency in tools that manage deployments, file uploads, or backups within JavaScript applications.

What is the vulnerability in CVE-2026-59873?

This CVE represents a weakness classified as CWE-770, which involves the failure to allocate or release resources properly. Specifically, the library lacks hard limits on file sizes and entry counts during decompression. Because it does not cap these values, a maliciously crafted archive can force the system to expand significantly more data than intended, consuming all available CPU and disk space.

How can an attacker trigger this resource exhaustion?

The condition is triggered when the library processes a specially crafted file, often called a gzip bomb. It is important to note that the vulnerability is not triggered by simply storing or moving a file; the system must actively attempt to parse or extract the contents of the malicious archive for the resource exhaustion to occur.

Is my application at risk if it uses node-tar?

Your risk depends on how your application uses the library. According to Halo Surface Signal, while the library is widely used, it is typically an internal component rather than an internet-facing gateway. You should be most concerned if your system specifically accepts and processes archive uploads from users or untrusted external sources.

How do I address this node-tar vulnerability?

Your first step is to perform an inventory to identify which applications in your environment rely on older versions of the node-tar library. Once identified, plan an update to version 7.5.19 or later, which introduces the necessary bounds to prevent resource exhaustion. Prioritize systems that handle archives from untrusted sources during your next maintenance window.

References