CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28863 – node-tar vulnerable to denial of service while parsing a tar file due to lack of folders count validation
https://notcve.org/view.php?id=CVE-2024-28863
21 Mar 2024 — node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders. node-tar es un Tar para Node.js. Node-tar anterior a la ve... • https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2CVE-2018-20834 – nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link
https://notcve.org/view.php?id=CVE-2018-20834
30 Apr 2019 — A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2). Se detecto una vulnerabilidad en node-tar en versiones anteriores a la 4.4.2 (excluyendo la versión 2.2.2). • https://github.com/ossf-cve-benchmark/CVE-2018-20834 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •