cbcvebase.

Debian Node-Tar-Fs vulnerabilities

3 known vulnerabilities affecting debian/node-tar-fs.

Total CVEs
3
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH3

Vulnerabilities

Page 1 of 1
CVE-2024-12905P3HIGHCVSS 7.5PoCfixed in node-tar-fs 2.1.3-0+deb12u1 (bookworm)2024
CVE-2024-12905 [HIGH] CVE-2024-12905: node-tar-fs - An Improper Link Resolution Before File Access ("Link Following") and Improper L... An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js
debian
CVE-2025-59343P3HIGHCVSS 8.7fixed in node-tar-fs 2.1.3-0+deb12u2 (bookworm)2025
CVE-2025-59343 [HIGH] CVE-2025-59343: node-tar-fs - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1... tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories. Scope: local bookwo
debian
CVE-2025-48387P3HIGHCVSS 8.7fixed in node-tar-fs 2.1.3-0+deb12u1 (bookworm)2025
CVE-2025-48387 [HIGH] CVE-2025-48387: node-tar-fs - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1... tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories. Scope: local bookworm: resolved (fixed in 2.1
debian
Debian Node-Tar-Fs vulnerabilities | cvebase