Alerts This Week
Warning Icon 1 1,153
Alerts This Week
Warning Icon 1 1,153

Debian 11 node-tar Critical Memory Crash and Access Flaws DLA-4552-1

debian lts
Calendar Grey April 29, 2026
Dist Debian Esm H88
Multiple critical vulnerabilities in node-tar fixed to prevent memory issues and unauthorized file access in Debian.
Multiple vulnerabilities have been discovered in node-tar, a Node.js module to read and write portable tar archives

Summary

CVE-2024-28863

Generating a large number of sub-folders can consume memory on the
system and even crash the Node.js client within a few seconds using
a path with too many sub-folders inside.

CVE-2026-23745

When preservePaths is false, the linkpath of Link (hardlink) and
SymbolicLink entries fail to be sanitized, allowing malicious
archives to bypass the extraction root restriction, leading to
arbitrary file overwrites via hardlinks and symlink poisoning via
absolute symlink targets.

The fix for this issue introduces multiple of the following
vulnerabilties.

CVE-2026-24842

The security check for hardlink entries allows an attacker to craft
a malicious TAR archive that bypasses path traversal protections and
creates hardlinks to arbitrary files outside the extraction
directory.

CVE-2026-26960

An attacker-controlled archive can create a hardlink inside the
extraction directory that points to a file outside the extraction

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

Package: node-tar
Version: 6.0.5+ds1+~cs11.3.9-1+deb11u3
CVE ID: CVE-2024-28863 CVE-2026-23745 CVE-2026-24842 CVE-2026-26960

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here