CVE-2024-28863

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions node-tar versions prior to 6.2.1 Node.js (affected versions not specified)

Description The node-tar package, used for Tar operations in Node.js, is susceptible to a denial-of-service condition. This occurs because there is no limit on the number of sub-folders created during the folder creation process. An attacker can exploit this by providing a specially crafted path containing a large number of nested sub-folders. This can lead to excessive memory consumption and potentially crash the Node.js client. The issue is resolved in version 6.2.1, which prevents extraction in excessively deep sub-folders.

Recommendations Update node-tar to version 6.2.1 or later.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-400

Related Identifiers

ALSA-2024:5814

ALSA-2024:6147

ALSA-2024:6148

ALSA-2024_5814

ALSA-2024_6147

ALSA-2024_6148

AZL-37115

AZL-37121

AZL-37136

BDU:2024-09418

CESA-2024_5814

CESA-2024_6148

CVE-2024-28863

GHSA-F5X3-32G6-XQ36

INFSA-2024_5814

INFSA-2024_6147

INFSA-2024_6148

RHSA-2024:5814

RHSA-2024:6147

RHSA-2024:6148

RHSA-2024:8906

RHSA-2024_5814

RHSA-2024_6147

RHSA-2024_6148

RLSA-2024:5814

RLSA-2024:6147

RLSA-2024:6148

Affected Products

Almalinux

Centos

Debian

Node.Js

Red Hat

Red Os

Rocky Linux

Node-Tar

CVE-2024-28863

Weakness Enumeration

Related Identifiers

Affected Products

References · 55