CVE-2024-28863: 
JavaScript vulnerability analysis and mitigation

node-tar prior to version 6.2.1 contains a vulnerability where there is no limit on the number of sub-folders created in the folder creation process. The vulnerability was discovered and disclosed on March 21, 2024, affecting the node-tar package, which is a Tar implementation for Node.js (GitHub Advisory).

The vulnerability stems from the lack of validation on the number of sub-folders being created during the tar extraction process. When node-tar processes a path like ./a/b/c/foo.txt, it creates every folder and sub-folder (a, b, and c) until it reaches the final destination. Without proper validation on folder depth, attackers can exploit this behavior by crafting tar files with excessive subfolder nesting (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (NVD).

Successful exploitation of this vulnerability can lead to Denial of Service (DoS) by consuming memory on the system running node-tar and potentially crashing the Node.js client within seconds of processing a maliciously crafted tar file containing excessive subfolder nesting (GitHub Advisory, NetApp Advisory).

The vulnerability has been fixed in node-tar version 6.2.1 by implementing a limit on the number of sub-folders that can be created during extraction. The default limit is set to 1024 subfolders nesting, though this can be adjusted or set to Infinity to remove the limitation (GitHub Commit).