CVE-2024-28863

Publication date 21 March 2024

Last updated 24 July 2024


Ubuntu priority

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.

Status

Package Ubuntu Release Status
node-tar 24.10 oracular
Not affected
24.04 LTS noble
Needs evaluation
23.10 mantic Ignored end of life, was needed
22.04 LTS jammy
Vulnerable
20.04 LTS focal
Vulnerable
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected