Node-tar <7.5.18 PAX Path Coercion Causing Uncaught TypeError
CVE-2026-59871 Published on July 8, 2026
node-tar: Process crash via PAX numeric path type confusion
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handling such as normalizeWindowsPath(entry.path).split('/') to throw an uncaught TypeError. This issue is fixed in version 7.5.18.
Vulnerability Analysis
CVE-2026-59871 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.
Weakness Type
Incorrect Type Conversion or Cast
The software does not correctly convert an object, resource, or structure from one type to a different type.