CVE-2024-28863

EUVD-2024-0909
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
Affected Products (NVD)
VendorProductVersion
isaacstar
𝑥
< 6.2.1
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
node-tar_projectnode-tar
𝑥
< 6.2.1
ADP
Debian logo
Debian Releases
Debian Product
Codename
node-tar
bookworm
no-dsa
bullseye
no-dsa
bullseye (security)
vulnerable
buster
no-dsa
forky
6.2.1+ds1+~cs6.1.13-5
fixed
sid
6.2.1+ds1+~cs6.1.13-5
fixed
trixie
6.2.1+~cs7.0.8-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-tar
bionic
not-affected
focal
needed
jammy
needed
mantic
ignored
noble
needs-triage
oracular
not-affected
plucky
not-affected
questing
not-affected
trusty
not-affected
xenial
not-affected
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
nodejs
Amazon Linux 2023
1:18.20.4-1.amzn2023.0.1
fixed
nodejs-debuginfo
Amazon Linux 2023
1:18.20.4-1.amzn2023.0.1
fixed
nodejs-debugsource
Amazon Linux 2023
1:18.20.4-1.amzn2023.0.1
fixed
nodejs-devel
Amazon Linux 2023
1:18.20.4-1.amzn2023.0.1
fixed
nodejs-docs
Amazon Linux 2023
1:18.20.4-1.amzn2023.0.1
fixed
nodejs-full-i18n
Amazon Linux 2023
1:18.20.4-1.amzn2023.0.1
fixed
nodejs-libs
Amazon Linux 2023
1:18.20.4-1.amzn2023.0.1
fixed
nodejs-libs-debuginfo
Amazon Linux 2023
1:18.20.4-1.amzn2023.0.1
fixed
nodejs-npm
Amazon Linux 2023
1:10.7.0-1.18.20.4.1.amzn2023.0.1
fixed
nodejs20
Amazon Linux 2023
1:20.18.0-1.amzn2023.0.2
fixed
nodejs20-debuginfo
Amazon Linux 2023
1:20.18.0-1.amzn2023.0.2
fixed
nodejs20-debugsource
Amazon Linux 2023
1:20.18.0-1.amzn2023.0.2
fixed
nodejs20-devel
Amazon Linux 2023
1:20.18.0-1.amzn2023.0.2
fixed
nodejs20-docs
Amazon Linux 2023
1:20.18.0-1.amzn2023.0.2
fixed
nodejs20-full-i18n
Amazon Linux 2023
1:20.18.0-1.amzn2023.0.2
fixed
nodejs20-libs
Amazon Linux 2023
1:20.18.0-1.amzn2023.0.2
fixed
nodejs20-libs-debuginfo
Amazon Linux 2023
1:20.18.0-1.amzn2023.0.2
fixed
nodejs20-npm
Amazon Linux 2023
1:10.8.2-1.20.18.0.1.amzn2023.0.2
fixed
v8-10.2-devel
Amazon Linux 2023
3:10.2.154.26-1.18.20.4.1.amzn2023.0.1
fixed
v8-11.3-devel
Amazon Linux 2023
3:11.3.244.8-1.20.18.0.1.amzn2023.0.2
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
nodejs
Azure Linux 3.0
0:20.14.0-1.azl3
fixed
nodejs18
CBL-Mariner 2.0
0:18.20.3-1.cm2
fixed
reaper
CBL-Mariner 2.0
0:3.1.1-17.cm2
fixed