Updated: 2025-12-28 04:22:36.090541
Description:
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | NONE | 0.0 |
| CVSS Version 3.x | MEDIUM | 6.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | tar | 1.34 | 6.5 | MEDIUM | In Testing | 2026-01-16 09:12:53 | ||
| AlmaLinux 9.2 ESU | nodejs | 16.20.2 | 6.5 | MEDIUM | Released | CLSA-2025:1756305640 | 2025-08-28 00:57:18 | |
| CentOS 8.4 ELS | tar | 1.30-5 | 6.5 | MEDIUM | Not Vulnerable | 2026-01-06 09:25:55 | ||
| CentOS 8.5 ELS | tar | 1.30-5 | 6.5 | MEDIUM | Not Vulnerable | 2026-01-06 09:25:57 | ||
| CentOS Stream 8 ELS | tar | 1.3 | 6.5 | MEDIUM | Ignored | 2026-01-17 01:14:31 | This vulnerability only causes a denial‑of‑service by exhausting memory during extraction of a m... | |
| TuxCare 9.6 ESU | nodejs | 16.20.2 | 6.5 | MEDIUM | Released | CLSA-2026:1770717358 | 2026-02-10 13:41:50 |