MEDIUM · CVSS 5.3Disclosed 2024-03-21

CVE-2024-28863 — node-tar DoS via malformed header

node-tar could be forced to allocate arbitrary memory on malformed tar headers, enabling a DoS on any server that accepted uploaded tarballs (npm registry, Docker-adjacent tooling, generic file import).

Affects

node-tar < 6.2.1

What an attacker does

An attacker uploads a tarball with a crafted header. node-tar allocates a large buffer based on an unchecked length field. Sustained uploads OOM the process.

How to detect

`npm ls tar`.

How to fix

Upgrade node-tar to 6.2.1+.

How Securie catches it

Securie flags the transitive chain where user-uploaded tarballs hit node-tar.

References

GHSA-f5x3-32g6-xq36