Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2650 articles · 174551 vulns · 36/41 feeds (7d)
← Back to list
5.3
CVE-2026-59871EXPLOITED
isaacs · node-tar

node-tar: Process crash via PAX numeric path type confusion

Description

A vulnerability described as problematic has been identified in isaacs node-tar up to 7.5.17. This affects an unknown part of the file src/pax.ts of the component PAX Path Handler. Executing a manipulation of the argument path/linkpath can lead to path traversal.

Affected Products

VendorProductVersions
isaacsnode-tar< 7.5.18, 7.5.17

References

  • https://github.com/isaacs/node-tar/security/advisories/GHSA-w8wr-v893-vjvp(x_refsource_CONFIRM)
  • https://github.com/isaacs/node-tar/commit/e02a4e9e013c4be95302e2eb2047a942b883c27b(x_refsource_MISC)
  • https://github.com/isaacs/node-tar/releases/tag/v7.5.18(x_refsource_MISC)

Related News (2 articles)

Tier A
Microsoft MSRC1h ago
CVE-2026-59871 node-tar: Process crash via PAX numeric path type confusion
→ No new info (linked only)
Tier C
VulDB3d ago
CVE-2026-59871 | isaacs node-tar up to 7.5.17 PAX Path src/pax.ts path/linkpath path traversal
→ No new info (linked only)
CVSS 3.15.3 HIGH
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA KEV❌ No
Actively exploited✅ Yes
CWECWE-704
PublishedJul 8, 2026
Last enriched3d agov2
Trending Score76
Source articles2
Independent2
Info Completeness8/14
Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (4)

HIGHCVE-2026-59873EXP
node-tar: Decompression/parse DoS via unlimited input
Trending: 58
NONECVE-2026-59874
node-tar: Negative tar entry size causes infinite loop in archive replace
Trending: 49
MEDIUMCVE-2026-59875EXP
node-tar: Uncaught Exception DoS via NUL byte in PAX path/linkpath records
Trending: 34
NONECVE-2026-53655
node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
Trending: 8

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 8, 2026
Discovered by ZDM
Jul 8, 2026
Actively Exploited
Jul 8, 2026
Updated: description, affectedVersions, severity, activelyExploited
Jul 8, 2026

Version History

v2
Last enriched 3d ago
v2Tier C3d ago

Updated description with new technical details, changed affected versions to include 7.5.17, updated severity to HIGH, and marked the vulnerability as actively exploited.

descriptionaffectedVersionsseverityactivelyExploited
via VulDB
v13d ago

Initial creation