CVE-2025-59343
published 2025-09-24CVE-2025-59343: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination…
PriorityP353high8.7CVSS 4.0
AVNACLATNPRNUINVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.52%
39.9th percentile
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar-fs | < node-tar-fs 2.1.3-0+deb12u2 (bookworm) | node-tar-fs 2.1.3-0+deb12u2 (bookworm) |
| mafintosh | tar-fs | < 1.16.5 | 1.16.5 |
| mafintosh | tar-fs | — | — |
| mafintosh | tar-fs | — | — |
| tar-fs_project | tar-fs | >= 0 < 1.16.6 | 1.16.6 |
| tar-fs_project | tar-fs | >= 2.0.0 < 2.1.4 | 2.1.4 |
| tar-fs_project | tar-fs | >= 3.0.0 < 3.1.1 | 3.1.1 |
| ubuntu | node-tar-fs | — | — |
CVSS provenance
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
vendor_redhat8.7HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
tar-fs vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 7.5
CVE-2025-59343 [HIGH] tar-fs vulnerabilities
Title: tar-fs vulnerabilities
Summary: Several security issues were fixed in tar-fs.
It was discovered that tar-fs did not properly limit paths when
extracting crafted tar files. An attacker could possibly use this
issue to write or overwrite files outside the intended extraction
directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2024-12905)
It was discovered that tar-fs did not properly validate extraction
paths for certain crafted tar archives. An attacker could possibly
use this issue to write files outside the intended extraction
directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2025-48387)
It was discovered that tar-fs had a symlink validation bypass when
extracting crafted tar files. An attacker could possibly use this
is
Red Hat
tar-fs: tar-fs symlink validation bypass
vendor_redhat·2025-09-24·CVSS 8.7
CVE-2025-59343 [HIGH] CWE-22 tar-fs: tar-fs symlink validation bypass
tar-fs: tar-fs symlink validation bypass
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
A symlink validation bypass flaw has been discovered in the npm tar-fs library. Affected versions are vulnerable to a symlink validation bypass if the destination directory is predictable with a specific tarball.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicabilit
Debian
CVE-2025-59343: node-tar-fs - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1...
vendor_debian·2025·CVSS 8.7
CVE-2025-59343 [HIGH] CVE-2025-59343: node-tar-fs - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1...
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
Scope: local
bookworm: resolved (fixed in 2.1.3-0+deb12u2)
bullseye: resolved (fixed in 2.1.3-0+deb11u2)
forky: resolved (fixed in 3.0.9+~cs2.0.4-2)
sid: resolved (fixed in 3.0.9+~cs2.0.4-2)
trixie: resolved (fixed in 3.0.9+~cs2.0.4-1+deb13u1)
OSV
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
osv·2025-09-24
CVE-2025-59343 [HIGH] tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
### Impact
v3.1.0, v2.1.3, v1.16.5 and below
### Patches
Has been patched in 3.1.1, 2.1.4, and 1.16.6
### Workarounds
You can use the ignore option to ignore non files/directories.
```js
ignore (_, header) {
// pass files & directories, ignore e.g. symlinks
return header.type !== 'file' && header.type !== 'directory'
}
```
### Credit
Reported by: Mapta / BugBunny_ai
GHSA
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
ghsa·2025-09-24
CVE-2025-59343 [HIGH] CWE-22 tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
### Impact
v3.1.0, v2.1.3, v1.16.5 and below
### Patches
Has been patched in 3.1.1, 2.1.4, and 1.16.6
### Workarounds
You can use the ignore option to ignore non files/directories.
```js
ignore (_, header) {
// pass files & directories, ignore e.g. symlinks
return header.type !== 'file' && header.type !== 'directory'
}
```
### Credit
Reported by: Mapta / BugBunny_ai
OSV
CVE-2025-59343: tar-fs provides filesystem bindings for tar-stream
osv·2025-09-24·CVSS 8.7
CVE-2025-59343 [HIGH] CVE-2025-59343: tar-fs provides filesystem bindings for tar-stream
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-59343 tar-fs: tar-fs symlink validation bypass
bugzilla·2025-09-24·CVSS 8.7
CVE-2025-59343 [HIGH] CVE-2025-59343 tar-fs: tar-fs symlink validation bypass
CVE-2025-59343 tar-fs: tar-fs symlink validation bypass
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
Discussion:
This issue has been addressed in the following products:
Cryostat 4 on RHEL 9
Via RHSA-2025:17376 https://access.redhat.com/errata/RHSA-2025:17376
---
This issue has been addressed in the following products:
Red Hat Ansible Automation Platform 2.5 for RHEL 9
Red Hat Ansible Automation Platform 2.5 for RHEL 8
Via RHSA-2025:18979 https://access.redhat.com/errata/RHSA-2025:18979
Bugzilla
CVE-2025-59343 openvino: tar-fs symlink validation bypass [fedora-42]
bugzilla·2025-09-24·CVSS 8.7
CVE-2025-59343 [HIGH] CVE-2025-59343 openvino: tar-fs symlink validation bypass [fedora-42]
CVE-2025-59343 openvino: tar-fs symlink validation bypass [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from relea
2025-09-24
Published