CVE-2024-28863 Overview
CVE-2024-28863 is a Denial of Service vulnerability affecting node-tar, the popular Tar archive library for Node.js. Prior to version 6.2.1, node-tar does not enforce any limit on the number of sub-folders that can be created during the extraction process. An attacker can craft a malicious tar archive containing an excessively deep directory structure that, when extracted, consumes available memory on the target system and can crash the Node.js process within seconds.
Critical Impact
Attackers can trigger memory exhaustion and crash Node.js applications by providing a specially crafted tar archive with deeply nested sub-folders, leading to denial of service conditions.
Affected Products
- isaacs tar (node-tar) versions prior to 6.2.1
- Node.js applications using vulnerable node-tar versions
- Build systems and package managers relying on node-tar for archive extraction
Discovery Timeline
- 2024-03-21 - CVE-2024-28863 published to NVD
- 2025-12-16 - Last updated in NVD database
Technical Details for CVE-2024-28863
Vulnerability Analysis
This vulnerability falls under CWE-400 (Uncontrolled Resource Consumption), where the application fails to properly limit resource allocation in response to user input. The node-tar library processes tar archives and creates directory structures as specified within the archive without validating the depth of nested folders.
When processing a maliciously crafted archive, the recursive folder creation logic continues indefinitely, allocating memory for each directory level. This unbounded resource consumption can quickly exhaust available system memory, resulting in process termination or system instability.
Root Cause
The root cause lies in the absence of a maximum depth check in the folder creation logic within lib/unpack.js. Prior to the fix, the extraction process would attempt to create any directory structure specified in the tar archive, regardless of how deeply nested it was. This allowed attackers to specify paths with thousands of nested sub-folders, triggering exponential memory consumption during the extraction process.
Attack Vector
The attack requires user interaction where a victim must extract a malicious tar archive using a vulnerable version of node-tar. The attack is network-deliverable since malicious archives can be distributed via various channels including package repositories, file sharing services, or as part of software distribution. The exploitation results in high availability impact through memory exhaustion and application crash, while confidentiality and integrity remain unaffected.
The security patch introduces a DEFAULT_MAX_DEPTH constant to limit extraction depth:
const getFlag = require('./get-write-flag.js')
const platform = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform
const isWindows = platform === 'win32'
+const DEFAULT_MAX_DEPTH = 1024
// Unlinks on Windows are not atomic.
//
Source: GitHub Commit fe8cd57
Detection Methods for CVE-2024-28863
Indicators of Compromise
- Sudden memory spikes in Node.js processes handling tar archive extraction
- Node.js process crashes with out-of-memory errors during archive operations
- Tar archives containing paths with unusually deep directory structures (exceeding 1024 levels)
- Extraction operations taking abnormally long times before failing
Detection Strategies
- Monitor dependency manifests (package.json, package-lock.json) for node-tar versions below 6.2.1
- Implement software composition analysis (SCA) scanning to identify vulnerable node-tar installations
- Set up alerts for Node.js process memory consumption anomalies during file extraction operations
- Review application logs for extraction failures or memory allocation errors
Monitoring Recommendations
- Configure resource limits (memory, CPU) for processes that handle user-provided archives
- Implement alerting on Node.js heap memory usage exceeding normal operational thresholds
- Monitor for repeated process restarts that could indicate exploitation attempts
- Track archive extraction operations and flag those with excessive directory depth
How to Mitigate CVE-2024-28863
Immediate Actions Required
- Upgrade node-tar to version 6.2.1 or later immediately
- Audit all Node.js applications and build pipelines for node-tar dependencies
- Review transitive dependencies that may include vulnerable node-tar versions
- Implement input validation to reject archives before extraction if possible
Patch Information
The vulnerability is fixed in node-tar version 6.2.1. The patch introduces a default maximum depth limit of 1024 sub-folders for extraction operations. Organizations should update their dependencies using their package manager:
- Review the GitHub Security Advisory GHSA-f5x3-32g6-xq36 for complete details
- See the security patch commit for implementation specifics
- NetApp Security Advisory provides additional vendor guidance
Workarounds
- Implement process-level memory limits to contain potential resource exhaustion
- Validate tar archive contents before extraction using archive inspection tools
- Run extraction operations in isolated environments (containers, sandboxes) with resource constraints
- Pre-scan archives for excessive path depth before processing with node-tar
# Update node-tar to patched version
npm update tar@^6.2.1
# Or force update in package.json
npm install tar@6.2.1 --save
# Verify installed version
npm list tar
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
