Infinite loop in node-tar - #VU135767
Published: June 29, 2026
node-tar
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to loop with an unreachable exit condition in tar.replace() when scanning an attacker-controlled existing archive. A remote attacker can supply a specially crafted tar archive with a negative base-256 encoded entry size to cause a denial of service.
Only applications that call the replace API on an existing attacker-controlled archive are affected; plain extraction-only workflows are not affected.