CVE-2025-48387 — Path Traversal in Tar-fs

CWE-22 — Path Traversal7 documents6 sources

Severity

8.7HIGHNVD

EPSS

1.0%

top 22.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mafintosh Tar-fs Debian Node-tar-fs Tar-fs Project Tar-fs +2 more

Timeline

PublishedJun 2

Latest updateJun 10

Description

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages5 packages

▶CVEListV5mafintosh/tar-fs< 1.16.5+2

▶debiandebian/node-tar-fs< node-tar-fs 2.1.3-0+deb12u1 (bookworm)

▶npmtar-fs_project/tar-fs2.0.0 — 2.1.3+2

▶msrcmsrc/cm2_reaper_3.1.1-19_on_cbl_mariner_2.0

▶msrcmsrc/cbl2_reaper_3.1.1-19_on_cbl_mariner_2.0

🔴Vulnerability Details

GHSA

tar-fs can extract outside the specified dir with a specific tarball↗2025-06-03

▶

OSV

tar-fs can extract outside the specified dir with a specific tarball↗2025-06-03

▶

OSV

CVE-2025-48387: tar-fs provides filesystem bindings for tar-stream↗2025-06-02

▶

📋Vendor Advisories

Microsoft

tar-fs has issue where extract can write outside the specified dir with a specific tarball↗2025-06-10

▶

Red Hat

tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball↗2025-06-02

▶

Debian

CVE-2025-48387: node-tar-fs - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1...↗2025

▶