CVE-2025-45582

CWE-246 documents6 sources
Severity
4.1MEDIUM
EPSS
0.1%
top 76.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
GNU TAR
Timeline
PublishedJul 11

Description

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the prot

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:LExploitability: 1.0 | Impact: 2.7

Affected Packages2 packages

NVDgnu/tar< 1.35
CVEListV5gnu/tar1.35

🔴Vulnerability Details

3
OSV
CVE-2025-45582: GNU Tar through 12025-07-11
CVEList
CVE-2025-45582: GNU Tar through 12025-07-11
GHSA
GHSA-f93m-9mq4-2fjj: GNU Tar through 12025-07-11

📋Vendor Advisories

2
Red Hat
tar: Tar path traversal2025-07-11
Microsoft
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a 2025-07-08