Node-tar <7.5.18 PAX Path Coercion Causing Uncaught TypeError
CVE-2026-59871 Published on July 8, 2026

node-tar: Process crash via PAX numeric path type confusion
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, node-tar coerces all-digit PAX path and linkpath values in src/pax.ts to JavaScript numbers, causing downstream path handling such as normalizeWindowsPath(entry.path).split('/') to throw an uncaught TypeError. This issue is fixed in version 7.5.18.

NVD

Vulnerability Analysis

CVE-2026-59871 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
LOW

Weakness Type

Incorrect Type Conversion or Cast

The software does not correctly convert an object, resource, or structure from one type to a different type.


Affected Versions

isaacs node-tar Version < 7.5.18 is affected by CVE-2026-59871