tar is vulnerable to Denial of Service (DoS)
53
Medium Risk
tar strips trailing NUL bytes from GNU long-name and long-linkpath extended headers but does not apply the same sanitization to the path and linkpath values parsed from PAX extended headers. A crafted PAX record that embeds a NUL byte in a path or linkpath is parsed verbatim into the entry path and reaches the underlying filesystem calls, which reject the NUL byte and throw an error outside the caller's await and try-catch boundary. Extracting an untrusted archive therefore raises an uncaught exception that terminates the process, and the same parsing gap creates a parser differential that lets a NUL-bearing path bypass validators that pre-scan archives with other tar tools. The fix strips everything from the first NUL byte onward when parsing PAX key/value records.
You are affected if you are using a version that falls within the vulnerable range and your application extracts or parses untrusted tar archives.
tar is vulnerable to Denial of Service (DoS) in versions 0.0.1 - 7.5.16.
Upgrade the tar library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant