cbcvebase.
CVE-2025-48387
published 2025-06-02

CVE-2025-48387: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified…

PriorityP348high8.7CVSS 4.0
AVNACLATNPRNUINVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.47%
37.5th percentile
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiannode-tar-fs< node-tar-fs 2.1.3-0+deb12u1 (bookworm)node-tar-fs 2.1.3-0+deb12u1 (bookworm)
mafintoshtar-fs< 1.16.51.16.5
mafintoshtar-fs
mafintoshtar-fs
msrccbl2_reaper_3.1.1-19_on_cbl_mariner_2.0
msrccm2_reaper_3.1.1-19_on_cbl_mariner_2.0
tar-fs_projecttar-fs>= 0 < 1.16.51.16.5
tar-fs_projecttar-fs>= 2.0.0 < 2.1.32.1.3
tar-fs_projecttar-fs>= 3.0.0 < 3.0.93.0.9
ubuntunode-tar-fs

CVSS provenance

nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
vendor_redhat8.7HIGH
vendor_msrc8.2HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.