UBUNTU-CVE-2024-28863

Advisory lineage Upstream: 1 Downstream: 0
Upstream
CVE-2024-28863
Published: 21 Mar 2024, 23:15
Last modified:08 Sept 2025, 17:00

Vulnerability Summary

Overall Risk (default)
medium
26/100
CVSS Score
6.5 MEDIUM
3.1 (osv_ubuntu)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

21 Mar 2024, 23:15
Published
Vulnerability first disclosed
08 Sept 2025, 17:00
Last Modified
Vulnerability information updated

Description

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

CVSS Metrics

  • v3.1MEDIUMScore: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Affected Systems

  • ubuntunode-tar

    all | all | all

References (4)