Gzip Bomb in node-tar Creates Critical Vulnerability (CVSS 9.2) for Node.js Pipelines

CVE-2026-59873 allows CPU and disk exhaustion with a small tarball. The library sees 106 million weekly downloads on npm and supports a significant portion of the JavaScript build chain.
The node-tar library, one of the most pervasive dependencies in the JavaScript ecosystem, received registration for CVE-2026-59873 on July 12, classified with a CVSS score of 9.2 by the GitHub Advisory Database. The flaw lies in the extraction and parsing paths within src/extract.ts: no version prior to 7.5.19 applies strict limits on total uncompressed size, entry count, or compression ratio. A small, carefully crafted gzip bomb is enough to exhaust the disk and CPU of the process that opens the file.
The extent of the damage lies in the denominator. The tar package on npm registers 106.4 million downloads per week, according to Snyk, which places it among the most widely consumed support libraries in the registry. A significant portion of this usage comes from CI/CD pipelines executing npm install from scratch, but the volume reveals the exposure surface: wherever Node is processing packaged files, there is almost certainly node-tar underneath.
What the Vulnerability Does
The exploitation pattern is the classic DoS via compressed file: a tarball of a few kilobytes that, when expanded, consumes gigabytes of RAM and disk. In runtimes that perform extractions as part of a deployment or build, the difference between a healthy pipeline and a pod that fails to respond becomes a matter of which package passed through the conveyor last. The applied CWE-770 classification describes the category: resource allocation without limits or throttling. It’s the type of defect that typically escalates to incident response teams of SREs.
On the same day of July 12, two other related CVEs emerged. CVE-2026-59874, with a CVSS score of 8.7, impacts tar.replace: a header with a valid checksum but a negative size encoded in base-256 causes the file scanner to get stuck, re-reading the same header without making progress. This results in an infinite loop with no exit, cataloged under CWE-835, fixed in version 7.5.18. Meanwhile, CVE-2026-59871 breaks the process due to type confusion in numeric PAX headers, allowing a malformed tarball to crash the service.
Why This Matters Beyond the Bug Tracker
The real risk of node-tar exits the bug tracker when looking at where the library operates. In CI/CD pipelines that download and expand tarballs from semi-trusted sources, in multi-tenant PaaS environments that open client uploads, and in infrastructure tools consuming packaged artifacts, the vector is always the same: someone sends a tarball, someone extracts it, someone crashes. Without the decompression ceiling introduced in version 7.5.19, a single malicious file can pull down an entire cluster’s workers to resource exhaustion.
The node-tar team has already released version 7.5.19, with hardened limits, and version 7.5.18, which closes the loop in replace. However, the exposure window is the time gap between the commit that delivers the fix and when the build reconstructs the dependency tree. In many enterprise environments characterized by aggressive pinning and a monthly patch policy, this window can exceed weeks.
The Pattern from January Forward
The cadence of CVEs in the library has been high throughout 2026. In January, CVE-2026-23745 had already pushed node-tar up to 7.5.3 because the library failed to sanitize linkpath in hardlink and symlink entries, allowing files to be overwritten outside the extraction root. In that case, the npm CLI itself was safeguarded because it filters Link and SymbolicLink from the packages it installs, but any custom pipeline that executed tar on untrusted input remained vulnerable until updated. The GitHub advisory for this CVE listed thousands of dependent projects.
Companies consuming only signed internal artifact tarballs remain relatively safe. Those processing files submitted by users, data aggregators, vendor integrations, and public content are on the front lines, as the exploit requires no authentication and does not need a sophisticated payload. It is advisable to schedule the update alongside the next build cycle, check where extraction occurs without configured time or space limits outside the process, and for PaaS operators accepting file uploads, consider isolation in cgroups or disposable containers for each extraction operation.
This type of CVE does not make headlines outside of AppSec circles, but it tends to become an incident for those operating integrations. The practical recommendation is to review the pipelines that process any compressed files from external sources, map where node-tar is being indirectly imported, and enforce an upgrade to 7.5.19 before automated scanners start listing the defect on vendor risk dashboards.