CVE-2024-28863 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2024-28863 Interim 1 4 2025-02-16T01:21:26Z current 2024-08-27T23:17:09Z 2025-02-16T01:21:26Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2024-28863 node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Liberty Linux 8 SUSE Liberty Linux 9 nodejs-18.20.4-1.module+el9.4.0+22195+c221878e nodejs-20.16.0-1.module+el8.10.0+22203+a88c8310 nodejs-devel-18.20.4-1.module+el9.4.0+22195+c221878e nodejs-devel-20.16.0-1.module+el8.10.0+22203+a88c8310 nodejs-docs-18.20.4-1.module+el9.4.0+22195+c221878e nodejs-docs-20.16.0-1.module+el8.10.0+22203+a88c8310 nodejs-full-i18n-18.20.4-1.module+el9.4.0+22195+c221878e nodejs-full-i18n-20.16.0-1.module+el8.10.0+22203+a88c8310 nodejs-nodemon-3.0.1-1.module+el8.10.0+21159+f5a7145d nodejs-nodemon-3.0.1-1.module+el9.3.0+19762+d716bf3b nodejs-packaging-2021.06-4.module+el8.9.0+19519+e25b965a nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601 nodejs-packaging-bundler-2021.06-4.module+el8.9.0+19519+e25b965a nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601 npm-10.7.0-1.18.20.4.1.module+el9.4.0+22195+c221878e npm-10.8.1-1.20.16.0.1.module+el8.10.0+22203+a88c8310 nodejs-20.16.0-1.module+el8.10.0+22203+a88c8310 as a component of SUSE Liberty Linux 8 nodejs-devel-20.16.0-1.module+el8.10.0+22203+a88c8310 as a component of SUSE Liberty Linux 8 nodejs-docs-20.16.0-1.module+el8.10.0+22203+a88c8310 as a component of SUSE Liberty Linux 8 nodejs-full-i18n-20.16.0-1.module+el8.10.0+22203+a88c8310 as a component of SUSE Liberty Linux 8 nodejs-nodemon-3.0.1-1.module+el8.10.0+21159+f5a7145d as a component of SUSE Liberty Linux 8 nodejs-packaging-2021.06-4.module+el8.9.0+19519+e25b965a as a component of SUSE Liberty Linux 8 nodejs-packaging-bundler-2021.06-4.module+el8.9.0+19519+e25b965a as a component of SUSE Liberty Linux 8 npm-10.8.1-1.20.16.0.1.module+el8.10.0+22203+a88c8310 as a component of SUSE Liberty Linux 8 nodejs-18.20.4-1.module+el9.4.0+22195+c221878e as a component of SUSE Liberty Linux 9 nodejs-devel-18.20.4-1.module+el9.4.0+22195+c221878e as a component of SUSE Liberty Linux 9 nodejs-docs-18.20.4-1.module+el9.4.0+22195+c221878e as a component of SUSE Liberty Linux 9 nodejs-full-i18n-18.20.4-1.module+el9.4.0+22195+c221878e as a component of SUSE Liberty Linux 9 nodejs-nodemon-3.0.1-1.module+el9.3.0+19762+d716bf3b as a component of SUSE Liberty Linux 9 nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601 as a component of SUSE Liberty Linux 9 nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601 as a component of SUSE Liberty Linux 9 npm-10.7.0-1.18.20.4.1.module+el9.4.0+22195+c221878e as a component of SUSE Liberty Linux 9 node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders. CVE-2024-28863 SUSE Liberty Linux 8:nodejs-20.16.0-1.module+el8.10.0+22203+a88c8310 SUSE Liberty Linux 8:nodejs-devel-20.16.0-1.module+el8.10.0+22203+a88c8310 SUSE Liberty Linux 8:nodejs-docs-20.16.0-1.module+el8.10.0+22203+a88c8310 SUSE Liberty Linux 8:nodejs-full-i18n-20.16.0-1.module+el8.10.0+22203+a88c8310 SUSE Liberty Linux 8:nodejs-nodemon-3.0.1-1.module+el8.10.0+21159+f5a7145d SUSE Liberty Linux 8:nodejs-packaging-2021.06-4.module+el8.9.0+19519+e25b965a SUSE Liberty Linux 8:nodejs-packaging-bundler-2021.06-4.module+el8.9.0+19519+e25b965a SUSE Liberty Linux 8:npm-10.8.1-1.20.16.0.1.module+el8.10.0+22203+a88c8310 SUSE Liberty Linux 9:nodejs-18.20.4-1.module+el9.4.0+22195+c221878e SUSE Liberty Linux 9:nodejs-devel-18.20.4-1.module+el9.4.0+22195+c221878e SUSE Liberty Linux 9:nodejs-docs-18.20.4-1.module+el9.4.0+22195+c221878e SUSE Liberty Linux 9:nodejs-full-i18n-18.20.4-1.module+el9.4.0+22195+c221878e SUSE Liberty Linux 9:nodejs-nodemon-3.0.1-1.module+el9.3.0+19762+d716bf3b SUSE Liberty Linux 9:nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601 SUSE Liberty Linux 9:nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601 SUSE Liberty Linux 9:npm-10.7.0-1.18.20.4.1.module+el9.4.0+22195+c221878e not set