Tar-Fs Project Tar-Fs vulnerabilities

CVE-2025-59343 [HIGH] CWE-22 tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball ### Impact v3.1.0, v2.1.3, v1.16.5 and below ### Patches Has been patched in 3.1.1, 2.1.4, and 1.16.6 ### Workarounds You can use the ignore option to ignore non files/directories. ```js ignore (_, header) { // pass files & directories, ignore e.g. symlinks ret

CVE-2025-48387 [HIGH] CWE-22 tar-fs can extract outside the specified dir with a specific tarball tar-fs can extract outside the specified dir with a specific tarball ### Impact v3.0.8, v2.1.2, v1.16.4 and below ### Patches Has been patched in 3.0.9, 2.1.3, and 1.16.5 ### Workarounds You can use the ignore option to ignore non files/directories. ```js ignore (_, header) { // pass files & directories, ignore e.g. symlinks return header.type !== 'file' && header.type !== 'directory' } ``` ###

CVE-2024-12905 [HIGH] CWE-22 tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside t

CVE-2018-20835 [HIGH] CWE-20 CVE-2018-20835: A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when ext A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.