<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Node-Tar - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/node-tar/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 12 Jul 2026 07:04:31 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/node-tar/feed.xml" rel="self" type="application/rss+xml"/><item><title>node-tar Denial-of-Service Vulnerability via Negative Tar Entry Size (CVE-2026-59874)</title><link>https://feed.craftedsignal.io/briefs/2026-07-node-tar-dos/</link><pubDate>Sun, 12 Jul 2026 07:04:31 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-node-tar-dos/</guid><description>A denial-of-service vulnerability, identified as CVE-2026-59874, exists in the 'node-tar' library, allowing a negative tar entry size to trigger an infinite loop when an archive is being replaced, potentially leading to system unavailability.</description><content:encoded><![CDATA[<p>The Microsoft Security Response Center (MSRC) has published details for CVE-2026-59874, a high-severity denial-of-service vulnerability affecting the <code>node-tar</code> library. This flaw can be triggered when a system attempts to replace an existing archive with a specially crafted tar file containing an entry with a negative size. Processing such a malicious archive leads to an infinite loop within the <code>node-tar</code> library, consuming excessive system resources and causing the affected application or service to become unresponsive. This vulnerability poses a risk to any application or service that utilizes <code>node-tar</code> for archive handling, potentially leading to critical service disruptions.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker creates a malicious tar archive.</li>
<li>The attacker embeds an entry within this archive that specifies a negative size value.</li>
<li>The attacker delivers this crafted tar archive to a target system.</li>
<li>A vulnerable application or service on the target system attempts to process the malicious archive using the <code>node-tar</code> library.</li>
<li>Specifically, the application initiates an archive replacement operation involving the malicious tar file.</li>
<li>The <code>node-tar</code> library, when parsing the tar entry with the negative size during the replacement, enters an infinite loop.</li>
<li>This infinite loop consumes all available CPU and memory resources on the system.</li>
<li>The affected application or the entire host system becomes unresponsive, resulting in a denial-of-service condition.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-59874 leads to a denial-of-service condition for applications utilizing the vulnerable <code>node-tar</code> library. This could manifest as severe resource exhaustion (CPU, memory), causing the affected application to hang, crash, or become entirely unresponsive. While no specific victims or targeting sectors are mentioned, any system processing untrusted tar archives with vulnerable versions of <code>node-tar</code> could be impacted, leading to significant operational disruptions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch affected systems immediately by upgrading the <code>node-tar</code> library to a version that addresses CVE-2026-59874. Consult the <code>node-tar</code> project for specific remediation guidance.</li>
<li>Review applications that use the <code>node-tar</code> library to identify vulnerable instances.</li>
</ul>
]]></content:encoded><category domain="severity">low</category><category domain="type">advisory</category><category>denial-of-service</category><category>vulnerability</category><category>node-tar</category><category>cve</category></item></channel></rss>