Uncontrolled Resource Consumption ('Resource Exhaustion') Affecting tar package, versions <6.2.1
Snyk CVSS
Attack Complexity
Low
User Interaction
Required
Availability
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.04% (9th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-TAR-6476909
- published 22 Mar 2024
- disclosed 21 Mar 2024
- credit Mohamed Dief
Introduced: 21 Mar 2024
CVE-2024-28863 Open this link in a new tabHow to fix?
Upgrade tar to version 6.2.1 or higher.
Overview
tar is a full-featured Tar for Node.js.
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') due to the lack of folders count validation during the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running the software and even crash the client within few seconds of running it using a path with too many sub-folders inside.