🟠 High  |  Source: Microsoft Security Response Center


CVE-2026-59873 is a denial-of-service vulnerability in node-tar, a widely used Node.js library for handling tar archive files. An attacker can craft a malicious archive that causes the parser to consume unlimited resources during decompression, potentially crashing or severely degrading affected services. Because node-tar is a common dependency in cloud-hosted Node.js applications and toolchains, the blast radius across Azure-hosted workloads could be significant.

Security Architect’s Take: Audit your Azure-hosted Node.js applications and CI/CD pipelines for dependencies on node-tar and update to a patched version immediately; also review any Azure Functions, Container Apps, or App Service workloads that process user-supplied archive files, as these represent the highest-risk attack surface.

Original advisory: CVE-2026-59873 node-tar: Decompression/parse DoS via unlimited input