cbcvebase.
CVE-2025-59343
published 2025-09-24

CVE-2025-59343: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination…

PriorityP353high8.7CVSS 4.0
AVNACLATNPRNUINVCNVIHVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.52%
39.9th percentile
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiannode-tar-fs< node-tar-fs 2.1.3-0+deb12u2 (bookworm)node-tar-fs 2.1.3-0+deb12u2 (bookworm)
mafintoshtar-fs< 1.16.51.16.5
mafintoshtar-fs
mafintoshtar-fs
tar-fs_projecttar-fs>= 0 < 1.16.61.16.6
tar-fs_projecttar-fs>= 2.0.0 < 2.1.42.1.4
tar-fs_projecttar-fs>= 3.0.0 < 3.1.13.1.1
ubuntunode-tar-fs

CVSS provenance

nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
vendor_redhat8.7HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.