Home > Vulnerability Database > CVE-2024-28863

Mend.io Vulnerability Database

CVE-2024-28863

Good to know:

Date: March 21, 2024

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Language: JS

Severity Score

6.5

Related Resources (8)

Url: https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-28863

Url: https://security-tracker.debian.org/tracker/CVE-2024-28863

Url: https://security.netapp.com/advisory/ntap-20240524-0005

Url: https://security.netapp.com/advisory/ntap-20240524-0005/

Url: https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36

Url: https://github.com/isaacs/node-tar

Url: https://www.mend.io/vulnerability-database/CVE-2024-28863

Severity Score

6.5

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version tar - 6.2.1

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-28863

Good to know:

Date: March 21, 2024

Language: JS

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?