GHSA-f5x3-32g6-xq36 · Severity: medium · Ecosystem: npm — Denial of service while parsing a tar file due to lack of folders count validation
node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.
Conclusion & alert: CVE-2024-28863 is rated High Exploit Risk (60.8/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.93%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.66% | 0.93% | +0.27% |
| 2 | 2026-05-22 | 0.65% | 0.66% | +0.01% |
| 3 | 2026-04-09 | — | 0.65% | — |
Full EPSS history (20 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
GHSA-f5x3-32g6-xq36 · Severity: medium · Ecosystem: npm — Denial of service while parsing a tar file due to lack of folders count validation
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2024-28863: 1 source package rows (tar); 33 state rows across 6 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, 3.23-main, edge-main); fixed 33, open 0. | https://security.alpinelinux.org/vuln/CVE-2024-28863 |
debian
|
not yet assigned | CVE-2024-28863 not yet assigned priority: Debian including 1 source packages (node-tar), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 4, open 1. | https://security-tracker.debian.org/tracker/CVE-2024-28863 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2024-28863 |
ubuntu
|
medium | CVE-2024-28863 medium priority: Ubuntu including 1 source packages (node-tar), 11 status rows across 11 suites (bionic, focal, jammy, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 6, needed 2, ignored 1, needs-triage 1, released 1. | https://ubuntu.com/security/CVE-2024-28863 |
| URL | Tags |
|---|---|
| https://github.com/isaacs/node-tar/commit/fe8cd57da5686f8695415414bda49206a545f7f7 | Patch |
| https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36 | Exploit Vendor Advisory |
| https://security.netapp.com/advisory/ntap-20240524-0005/ | Third Party Advisory |