node-tar 7.5.18: tar.replace Negative Size Header Infinite Loop
CVE-2026-59874 Published on July 8, 2026

node-tar: Negative tar entry size causes infinite loop in archive replace
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18.

NVD

Weakness Type

What is an Infinite Loop Vulnerability?

The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.

CVE-2026-59874 has been classified to as an Infinite Loop vulnerability or weakness.


Affected Versions

isaacs node-tar Version < 7.5.18 is affected by CVE-2026-59874