🟠 High  |  Source: Microsoft Security Response Center


CVE-2026-59871 is a vulnerability in node-tar, a widely used Node.js library for handling tar archives, where a type confusion bug in PAX numeric path handling can cause a process crash. This denial-of-service condition could disrupt applications or services that process tar archives, particularly those running on Azure or other cloud environments. While not directly a code execution flaw, crashing processes can be leveraged to degrade availability or mask other malicious activity.

Security Architect’s Take: Audit your Azure-hosted Node.js workloads and CI/CD pipelines for dependencies on node-tar and update to the patched version immediately; also review any Azure DevOps or containerised build environments that extract tar archives as part of automated workflows.

Original advisory: CVE-2026-59871 node-tar: Process crash via PAX numeric path type confusion