Debian Node-Tar-Fs vulnerabilities

CVE-2025-48387 [HIGH] CVE-2025-48387: node-tar-fs - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1... tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories. Scope: local bookworm: resolved (fixed in 2.1

CVE-2025-59343 [HIGH] CVE-2025-59343: node-tar-fs - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1... tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories. Scope: local bookwo

CVE-2024-12905 [HIGH] CVE-2024-12905: node-tar-fs - An Improper Link Resolution Before File Access ("Link Following") and Improper L... An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js

CVE-2018-20835 [HIGH] CVE-2018-20835: node-tar-fs - A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite i... A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. Scope: local bookworm: resolved bullseye: re