-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| node-tar | npm | < 6.2.1 | 6.2.1 |
| tar | npm | < 6.2.1 | 6.2.1 |
Miggo AIRoot Cause AnalysisThe vulnerability (CVE-2024-28863) in the node-tar package allows for a denial of service due to the lack of validation on the number of nested folders (path depth) when parsing a tar file. The provided commit fe8cd57da5686f8695415414bda49206a545f7f7 addresses this.
The analysis of the patch in lib/unpack.js reveals the following:
maxDepth option and a DEFAULT_MAX_DEPTH constant are introduced.Unpack class constructor is modified to initialize a this.maxDepth property based on the provided options or the default value. This function was vulnerable because, in its prior state, it did not establish any depth limitation, allowing the subsequent processes to attempt creating an unbounded number of directories.[CHECKPATH] method (a symbol-keyed method on Unpack.prototype) is modified to split the entry path into parts and check if parts.length exceeds this.maxDepth. If it does, a warning is emitted, and the method returns false, preventing the extraction of that entry. This function was vulnerable as it previously lacked this depth check, thereby permitting excessively deep paths to be processed.UnpackSync class extends Unpack. Its constructor calls super(opt), meaning it inherits the maxDepth initialization (or lack thereof in the vulnerable version) from the Unpack constructor. Thus, it was vulnerable for the same reasons.UnpackSync also inherits the [CHECKPATH] method from Unpack because it does not override it. Therefore, it was vulnerable through the inherited [CHECKPATH] method's lack of depth validation.Therefore, the vulnerable functions are the constructors of Unpack and UnpackSync (as they previously did not establish controls for maximum path depth) and their respective [CHECKPATH] methods (as they previously did not perform the depth validation, allowing the processing of excessively deep paths leading to resource exhaustion). These functions are directly involved in processing tar entry paths and were modified or affected by the patch to introduce the necessary depth validation logic.
JavaScriptJavaScriptKEV Misses 88% of Exploited CVEs- Get the report