CVE-2025-48387
published 2025-06-02CVE-2025-48387: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified…
PriorityP348high8.7CVSS 4.0
AVNACLATNPRNUINVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.47%
37.5th percentile
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar-fs | < node-tar-fs 2.1.3-0+deb12u1 (bookworm) | node-tar-fs 2.1.3-0+deb12u1 (bookworm) |
| mafintosh | tar-fs | < 1.16.5 | 1.16.5 |
| mafintosh | tar-fs | — | — |
| mafintosh | tar-fs | — | — |
| msrc | cbl2_reaper_3.1.1-19_on_cbl_mariner_2.0 | — | — |
| msrc | cm2_reaper_3.1.1-19_on_cbl_mariner_2.0 | — | — |
| tar-fs_project | tar-fs | >= 0 < 1.16.5 | 1.16.5 |
| tar-fs_project | tar-fs | >= 2.0.0 < 2.1.3 | 2.1.3 |
| tar-fs_project | tar-fs | >= 3.0.0 < 3.0.9 | 3.0.9 |
| ubuntu | node-tar-fs | — | — |
CVSS provenance
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
vendor_redhat8.7HIGH
vendor_msrc8.2HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
tar-fs vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 7.5
CVE-2025-59343 [HIGH] tar-fs vulnerabilities
Title: tar-fs vulnerabilities
Summary: Several security issues were fixed in tar-fs.
It was discovered that tar-fs did not properly limit paths when
extracting crafted tar files. An attacker could possibly use this
issue to write or overwrite files outside the intended extraction
directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2024-12905)
It was discovered that tar-fs did not properly validate extraction
paths for certain crafted tar archives. An attacker could possibly
use this issue to write files outside the intended extraction
directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2025-48387)
It was discovered that tar-fs had a symlink validation bypass when
extracting crafted tar files. An attacker could possibly use this
is
Microsoft
tar-fs has issue where extract can write outside the specified dir with a specific tarball
vendor_msrc·2025-06-10·CVSS 8.2
CVE-2025-48387 [HIGH] CWE-22 tar-fs has issue where extract can write outside the specified dir with a specific tarball
tar-fs has issue where extract can write outside the specified dir with a specific tarball
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-M
Red Hat
tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball
vendor_redhat·2025-06-02·CVSS 8.7
CVE-2025-48387 [HIGH] CWE-22 tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball
tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
A flaw was found in tar-fs. This vulnerability allows files to be written outside the intended extraction directory via specially crafted tar archives. The issue arises from insufficient path validation during tarball extraction, potentially enabling path traversal attacks that can overwrite arbitrary files on the system.
Statement: This vulnerability in tar-fs is Important no
Debian
CVE-2025-48387: node-tar-fs - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1...
vendor_debian·2025·CVSS 8.7
CVE-2025-48387 [HIGH] CVE-2025-48387: node-tar-fs - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1...
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
Scope: local
bookworm: resolved (fixed in 2.1.3-0+deb12u1)
bullseye: resolved (fixed in 2.1.3-0+deb11u1)
forky: resolved (fixed in 3.0.9+~cs2.0.4-1)
sid: resolved (fixed in 3.0.9+~cs2.0.4-1)
trixie: resolved (fixed in 3.0.9+~cs2.0.4-1)
GHSA
tar-fs can extract outside the specified dir with a specific tarball
ghsa·2025-06-03
CVE-2025-48387 [HIGH] CWE-22 tar-fs can extract outside the specified dir with a specific tarball
tar-fs can extract outside the specified dir with a specific tarball
### Impact
v3.0.8, v2.1.2, v1.16.4 and below
### Patches
Has been patched in 3.0.9, 2.1.3, and 1.16.5
### Workarounds
You can use the ignore option to ignore non files/directories.
```js
ignore (_, header) {
// pass files & directories, ignore e.g. symlinks
return header.type !== 'file' && header.type !== 'directory'
}
```
### Credit
Thank you Caleb Brown from Google Open Source Security Team for reporting this in detail.
OSV
tar-fs can extract outside the specified dir with a specific tarball
osv·2025-06-03
CVE-2025-48387 [HIGH] tar-fs can extract outside the specified dir with a specific tarball
tar-fs can extract outside the specified dir with a specific tarball
### Impact
v3.0.8, v2.1.2, v1.16.4 and below
### Patches
Has been patched in 3.0.9, 2.1.3, and 1.16.5
### Workarounds
You can use the ignore option to ignore non files/directories.
```js
ignore (_, header) {
// pass files & directories, ignore e.g. symlinks
return header.type !== 'file' && header.type !== 'directory'
}
```
### Credit
Thank you Caleb Brown from Google Open Source Security Team for reporting this in detail.
OSV
CVE-2025-48387: tar-fs provides filesystem bindings for tar-stream
osv·2025-06-02·CVSS 8.7
CVE-2025-48387 [HIGH] CVE-2025-48387: tar-fs provides filesystem bindings for tar-stream
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-48387 openvino: tar-fs has issue where extract can write outside the specified dir with a specific tarball [fedora-42]
bugzilla·2025-06-03·CVSS 8.7
CVE-2025-48387 [HIGH] CVE-2025-48387 openvino: tar-fs has issue where extract can write outside the specified dir with a specific tarball [fedora-42]
CVE-2025-48387 openvino: tar-fs has issue where extract can write outside the specified dir with a specific tarball [fedora-42]
More information about this security flaw is available in the following bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2369875
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
I believe that we can close this issue since tar-fs is a NPM package and at present we do not ship the JavaScript bindings for OpenVINO in F42 (or rawhide, for that matter).
---
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updat
Bugzilla
CVE-2025-48387 tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball
bugzilla·2025-06-02·CVSS 8.7
CVE-2025-48387 [HIGH] CVE-2025-48387 tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball
CVE-2025-48387 tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
https://github.com/google/security-research/security/advisories/GHSA-xrg4-qp5w-2c3whttps://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0fhttps://github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4vhttps://lists.debian.org/debian-lts-announce/2025/06/msg00012.html
2025-06-02
Published