PatchSiren cyber security CVE debrief
CVE-2026-59873 isaacs CVE debrief
CVE-2026-59873 is a critical vulnerability in node-tar, a tar archive manipulation library for Node.js. The issue allows a small crafted gzip bomb to exhaust disk space and CPU due to the lack of hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths. This vulnerability was fixed in version 7.5.19. The vulnerability has a CVSS score of 9.2 and is classified as CRITICAL. Developers and administrators using node-tar in their Node.js applications should be aware of this vulnerability and take immediate action to update to version 7.5.19 or later to prevent potential disk space and CPU exhaustion attacks. The CVE record was published on 2026-07-08T16:16:33.867Z and has not been modified since then.
- Vendor
- isaacs
- Product
- node-tar
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Developers and administrators using node-tar in their Node.js applications should be aware of this vulnerability and take immediate action to update to version 7.5.19 or later to prevent potential disk space and CPU exhaustion attacks. This includes reviewing and monitoring Node.js applications using node-tar for potential vulnerabilities and implementing compensating controls to detect and prevent potential attacks.
Technical summary
node-tar, a tar archive manipulation library for Node.js, does not enforce hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths. This allows a small crafted gzip bomb to exhaust disk space and CPU. The issue is fixed in version 7.5.19. The vulnerability has a CVSS score of 9.2 and is classified as CRITICAL. Affected product deployments should be reviewed for potential exposure, and owners should plan for updates or mitigations through normal change control. Compensating controls should be reviewed for exposed systems while remediation is scheduled and verified.
Defensive priority
High, given the critical severity and potential for disk space and CPU exhaustion attacks. Immediate action is required to update to version 7.5.19 or later and implement compensating controls to detect and prevent potential attacks. The vulnerability has a CVSS score of 9.2 and is classified as CRITICAL, indicating a high level of urgency for remediation. Additionally, defenders should review and monitor Node.js applications using node-tar for potential vulnerabilities and implement compensating controls to detect and prevent potential attacks. This may include tracking exceptions, retesting remediated assets, and closing the item only after evidence is documented. The lack of hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths increases the risk of successful exploitation, emphasizing the need for prompt remediation and enhanced monitoring. Therefore, the defensive priority is High, and defenders should take immediate action to mitigate the vulnerability and prevent potential attacks. The recommended actions include updating node-tar to version 7.5.19 or later, reviewing and monitoring Node.js applications using node-tar, and implementing compensating controls to detect and prevent potential attacks. By taking these steps, defenders can reduce the risk of successful exploitation and protect their systems from potential disk space and CPU exhaustion attacks. The vulnerability's critical severity and potential impact on Node.js applications using node-tar necessitate a High defensive priority and immediate remediation efforts. Defenders should prioritize updating node-tar to version 7.5.19 or later and implementing compensating controls to detect and prevent potential attacks, while also reviewing and monitoring Node.js applications using node-tar for potential vulnerabilities. This will help prevent potential disk space and CPU exhaustion attacks and reduce the risk of successful exploitation. The High defensive priority reflects the critical severity of the vulnerability and the need for prompt remediation and enhanced monitoring to prevent potential attacks. Therefore, defenders should take a High
Recommended defensive actions
- Update node-tar to version 7.5.19 or later
- Review and monitor Node.js applications using node-tar for potential vulnerabilities
- Implement compensating controls to detect and prevent potential attacks
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-08T16:16:33.867Z and was last modified on 2026-07-10T18:01:31.563Z. The NVD entry is currently Awaiting Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official CVE record and NVD entry. The vulnerability has a CVSS score of 9.2 and is classified as CRITICAL. The issue allows a small crafted gzip bomb to exhaust disk space and CPU due to the lack of hard upper bounds on total decompressed data, entry counts, or decompression ratio in extraction and parsing paths.
Official resources
-
CVE-2026-59873 CVE record
CVE.org
-
CVE-2026-59873 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T16:16:33.867Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.