## Description:
During some analysis today on npm's node-tar
package I came across the folder creation process, Basicly if you provide node-tar with a path like this ./a/b/c/foo.txt
it would create every folder and sub-folder here a, b and c until it reaches the last folder to create foo.txt
, In-this case I noticed that there's no validation at all on the amount of folders being created, that said we're actually able to CPU and memory consume the system running node-tar and even crash the nodejs client within few seconds of running it using a path with too many sub-folders inside
## Steps To Reproduce:
You can reproduce this issue by downloading the tar file I provided in the resources and using node-tar to extract it, you should get the same behavior as the video
## Proof Of Concept:
Here's a video show-casing the exploit:
## Impact
Denial of service by crashing the nodejs client when attempting to parse a tar archive, make it run out of heap memory and consuming server CPU and memory resources
## Report resources
payload.txt
archeive.tar.gz
## Note
This report was originally reported to GitHub bug bounty program, they asked me to report it to you a month ago
Uncontrolled Resource Consumption
2.8
Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
---|---|---|---|---|---|
tar | npm | - | - | <6.2.1 | 6.2.1 |
node-tar | npm | - | - | <6.2.1 | 6.2.1 |
CVSS:3 Severity and metrics
The CVSS metrics represent various qualitative aspects of a vulnerability that influence the overall score above.
Attack Vector (AV)
Network
The vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. This can mean an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain (e.g., MPLS, secure VPN to an administrative network zone). One example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment (e.g., CVE-2013-6014).
Attack Complexity (AC)
Low
Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.
Privileges Required (PR)
None
The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction (UI)
Required
Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.
Scope (S)
Unchanged
An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.
Confidentiality (C)
None
There is no loss of confidentiality.
Integrity (I)
None
There is no loss of trust or accuracy within the impacted component.
Availability (A)
High
There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component.
-
-
CVE-2024-28863
-
CVE-2024-28863
-