Type conversion in node-tar - #VU135766
Published: June 29, 2026
node-tar
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to incorrect type conversion or cast in the PAX header parser when parsing a crafted tar archive with an all-digit path value. A remote attacker can supply a specially crafted tar archive to cause a denial of service.
The crash occurs as an uncaught TypeError during extraction and bypasses application-level error handling, including error and warning handlers.