{"id":"UBUNTU-CVE-2024-28863","details":"node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.","modified":"2025-09-08T17:00:20Z","published":"2024-03-21T23:15:00Z","upstream":["CVE-2024-28863"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-28863"},{"type":"REPORT","url":"https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36"},{"type":"REPORT","url":"https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-28863"}],"affected":[{"package":{"name":"node-tar","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/node-tar@4.4.10+ds1-2ubuntu1+esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["4.4.10+ds1-2","4.4.10+ds1-2ubuntu1","4.4.10+ds1-2ubuntu1+esm1"],"ecosystem_specific":{"binaries":[{"binary_name":"node-tar","binary_version":"4.4.10+ds1-2ubuntu1+esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-28863.json"}},{"package":{"name":"node-tar","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/node-tar@6.1.11+ds1+~cs6.0.6-1?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.1.7+~cs11.3.10-1","6.1.11+~cs11.3.10-1","6.1.11+ds1+~cs6.0.6-1"],"ecosystem_specific":{"binaries":[{"binary_name":"node-tar","binary_version":"6.1.11+ds1+~cs6.0.6-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-28863.json"}},{"package":{"name":"node-tar","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/node-tar@6.1.13+~cs7.0.5-3?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["6.1.13+~cs7.0.5-1","6.1.13+~cs7.0.5-3"],"ecosystem_specific":{"binaries":[{"binary_name":"node-tar","binary_version":"6.1.13+~cs7.0.5-3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-28863.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]}