{"id":"AZL-37121","summary":"CVE-2024-28863 affecting package nodejs18 for versions less than 18.20.3-1","details":"node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders.","modified":"2026-04-01T05:13:12.153882Z","published":"2024-03-21T23:15:10Z","upstream":["CVE-2024-28863"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-28863"}],"affected":[{"package":{"name":"nodejs18","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/nodejs18"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"18.20.3-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-37121.json"}}],"schema_version":"1.7.5"}