🟠 High | Source: Microsoft Security Response Center
CVE-2026-59874 is a vulnerability in node-tar, a widely used JavaScript library for handling tar archive files. A specially crafted tar entry with a negative file size value can trigger an infinite loop during archive replace operations, potentially causing a denial of service. This matters because node-tar is a common dependency in Node.js ecosystems, including tooling deployed in cloud environments and CI/CD pipelines.
Security Architect’s Take: Audit your Azure-hosted workloads, container images, and build pipelines for dependencies on node-tar and update to a patched version immediately; pay particular attention to serverless functions and containerised Node.js applications that process untrusted archive inputs.
Original advisory: CVE-2026-59874 node-tar: Negative tar entry size causes infinite loop in archive replace