CVE-2025-59343 — Path Traversal in Tar-fs

CWE-22 — Path Traversal CWE-61 — UNIX Symbolic Link (Symlink) Following6 documents5 sources

Severity

8.7HIGHNVD

EPSS

0.0%

top 91.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mafintosh Tar-fs Debian Node-tar-fs Tar-fs Project Tar-fs

Timeline

PublishedSep 24

Description

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶CVEListV5mafintosh/tar-fs< 1.16.5+2

▶debiandebian/node-tar-fs< node-tar-fs 2.1.3-0+deb12u2 (bookworm)

▶npmtar-fs_project/tar-fs3.0.0 — 3.1.1+2

🔴Vulnerability Details

OSV

tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball↗2025-09-24

▶

GHSA

tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball↗2025-09-24

▶

OSV

CVE-2025-59343: tar-fs provides filesystem bindings for tar-stream↗2025-09-24

▶

📋Vendor Advisories

Red Hat

tar-fs: tar-fs symlink validation bypass↗2025-09-24

▶

Debian

CVE-2025-59343: node-tar-fs - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1...↗2025

▶