Bug 2498803 - CVE-2026-59874 crow-translate: Node-tar: Denial of Service via malformed tar archive header [fedora-all]
Summary: CVE-2026-59874 crow-translate: Node-tar: Denial of Service via malformed tar ...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: crow-translate
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Artem
QA Contact:
URL:
Whiteboard: {"flaws": ["c8ec3acf-ec5f-4a98-a332-3...
Depends On:
Blocks: CVE-2026-59874
TreeView+ depends on / blocked
 
Reported: 2026-07-09 22:01 UTC by Jon Moroney
Modified: 2026-07-09 22:01 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jon Moroney 2026-07-09 22:01:06 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18.


Note You need to log in before you can comment on or make changes to this bug.