Bug 2498116 (CVE-2026-59874) - CVE-2026-59874 tar: Node-tar: Denial of Service via malformed tar archive header
Summary: CVE-2026-59874 tar: Node-tar: Denial of Service via malformed tar archive header
Keywords:
Status: NEW
Alias: CVE-2026-59874
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2498790 2498791 2498792 2498794 2498795 2498796 2498797 2498798 2498799 2498800 2498802 2498803 2498804 2498793 2498801
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-07-08 16:01 UTC by OSIDB Bzimport
Modified: 2026-07-09 22:25 UTC (History)
118 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-07-08 16:01:33 UTC
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18.


Note You need to log in before you can comment on or make changes to this bug.