The Infinite Hallway: Crashing Node.js with CVE-2024-28863
Vulnerability ID: CVE-2024-28863
CVSS Score: 6.5
Published: 2024-03-21
A high-impact Denial of Service (DoS) vulnerability in the ubiquitous node-tar library allows attackers to crash Node.js applications by supplying a tar archive with excessively deep directory structures. By exploiting the lack of depth validation, a malicious archive forces the parser to allocate massive arrays and iterate continuously, triggering an Out of Memory (OOM) crash or CPU exhaustion.
TL;DR
If you let users upload tarballs, they can kill your server by nesting folders 200,000 levels deep. node-tar < 6.2.1 didn't check how deep the rabbit hole went, leading to instant memory exhaustion.
⚠️ Exploit Status: POC
Technical Details
- CWE: CWE-400 (Uncontrolled Resource Consumption)
- Attack Vector: Network (Malicious Archive)
- CVSS: 6.5 (Medium)
- Impact: Denial of Service (App Crash)
- Fix Commit: fe8cd57da5686f8695415414bda49206a545f7f7
- EPSS Score: 0.45% (Moderate)
Affected Systems
- node-tar < 6.2.1
- npm CLI (indirectly)
- node-gyp (indirectly)
- Any Node.js application extracting untrusted tarballs
-
node-tar: < 6.2.1 (Fixed in:
6.2.1)
Code Analysis
Commit: fe8cd57
Fix: add maxDepth option to prevent ReDoS/OOM
const DEFAULT_MAX_DEPTH = 1024; ... if (parts.length > this.maxDepth) ...
Exploit Details
- GitHub/HackerOne: Original bug report demonstrating OOM crash via deep folder structure
Mitigation Strategies
- Limit directory nesting depth in archives.
- Validate path lengths before processing.
- Monitor Node.js memory usage for sudden spikes.
Remediation Steps:
- Update
node-tarto version 6.2.1 or later. - Run
npm auditto identify nested dependencies using vulnerable versions. - If using the library directly, explicitly set the
maxDepthoption to a safe value (e.g., 50).
References
Read the full report for CVE-2024-28863 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)