CVE-2025-45582: CWE-24 Path Traversal: '../filedir' in GNU Tar
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).
AI Analysis
Technical Summary
CVE-2025-45582 is a path traversal vulnerability affecting GNU Tar versions up to 1.35. The vulnerability arises from a two-step extraction process involving specially crafted TAR archives. In the first step, an attacker supplies a TAR archive containing a symbolic link (symlink) entry that points to a critical directory outside the intended extraction path using directory traversal sequences (e.g., '../'). For example, the symlink 'x' might point to a sensitive directory such as '/home/victim/.ssh'. In the second step, the attacker supplies another TAR archive containing a file whose path begins with the symlink name created in the first archive and ends with the name of a critical file within the targeted directory (e.g., 'x/authorized_keys'). When extracted sequentially, the TAR utility follows the symlink and overwrites the critical file, bypassing the usual protection mechanisms that block direct '../' traversal within a single archive. This vulnerability exploits the fact that protections are applied per archive and do not consider cumulative effects across multiple extractions. The vulnerability is particularly relevant for server applications that automatically extract multiple user-supplied TAR archives without sufficient validation or isolation. The impact includes unauthorized overwriting of critical files, potentially leading to privilege escalation, unauthorized access, or service disruption. The CVSS 3.1 base score is 4.1 (medium severity), reflecting local attack vector, high attack complexity, no privileges required, user interaction required, scope changed, no confidentiality impact, low integrity impact, and low availability impact. No known exploits are reported in the wild as of the publication date. No patches are linked yet, indicating that mitigation may require manual intervention or updated versions once released.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems that automatically process TAR archives from untrusted or semi-trusted sources, such as web hosting providers, continuous integration/deployment pipelines, or file-sharing services. Overwriting critical files like SSH authorized_keys could allow attackers to gain persistent unauthorized access, leading to data breaches or lateral movement within networks. The medium severity score suggests limited direct confidentiality impact but notable integrity and availability concerns. Organizations relying on GNU Tar for automated extraction without additional sandboxing or validation are at risk. Given the widespread use of GNU Tar in Linux-based environments common in Europe, the vulnerability could affect a broad range of sectors including government, finance, healthcare, and critical infrastructure. The requirement for user interaction (extracting archives) and local access reduces the likelihood of remote exploitation but does not eliminate risk in multi-tenant or shared environments where users can upload archives. The bypass of traversal protections across multiple archives is a subtle attack vector that may evade detection by standard security controls, increasing the risk of unnoticed compromise.
Mitigation Recommendations
1. Immediately audit and restrict automated TAR extraction processes to trusted sources only. 2. Implement strict validation of TAR archive contents before extraction, including checking for symlinks and directory traversal sequences across multiple archives cumulatively. 3. Use extraction tools or options that disable symlink extraction or sandbox extraction paths to prevent files from being written outside designated directories. 4. Monitor critical directories (e.g., ~/.ssh) for unauthorized changes, and implement file integrity monitoring solutions. 5. Apply principle of least privilege to processes performing extraction, ensuring they cannot overwrite critical system or user files. 6. Where possible, upgrade to a patched version of GNU Tar once available. 7. Educate users and administrators about the risks of extracting untrusted archives and enforce policies to prevent manual extraction of suspicious archives. 8. Consider containerizing or isolating extraction environments to limit the impact of potential exploitation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Austria
CVE-2025-45582: CWE-24 Path Traversal: '../filedir' in GNU Tar
Description
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).
AI-Powered Analysis
Technical Analysis
CVE-2025-45582 is a path traversal vulnerability affecting GNU Tar versions up to 1.35. The vulnerability arises from a two-step extraction process involving specially crafted TAR archives. In the first step, an attacker supplies a TAR archive containing a symbolic link (symlink) entry that points to a critical directory outside the intended extraction path using directory traversal sequences (e.g., '../'). For example, the symlink 'x' might point to a sensitive directory such as '/home/victim/.ssh'. In the second step, the attacker supplies another TAR archive containing a file whose path begins with the symlink name created in the first archive and ends with the name of a critical file within the targeted directory (e.g., 'x/authorized_keys'). When extracted sequentially, the TAR utility follows the symlink and overwrites the critical file, bypassing the usual protection mechanisms that block direct '../' traversal within a single archive. This vulnerability exploits the fact that protections are applied per archive and do not consider cumulative effects across multiple extractions. The vulnerability is particularly relevant for server applications that automatically extract multiple user-supplied TAR archives without sufficient validation or isolation. The impact includes unauthorized overwriting of critical files, potentially leading to privilege escalation, unauthorized access, or service disruption. The CVSS 3.1 base score is 4.1 (medium severity), reflecting local attack vector, high attack complexity, no privileges required, user interaction required, scope changed, no confidentiality impact, low integrity impact, and low availability impact. No known exploits are reported in the wild as of the publication date. No patches are linked yet, indicating that mitigation may require manual intervention or updated versions once released.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems that automatically process TAR archives from untrusted or semi-trusted sources, such as web hosting providers, continuous integration/deployment pipelines, or file-sharing services. Overwriting critical files like SSH authorized_keys could allow attackers to gain persistent unauthorized access, leading to data breaches or lateral movement within networks. The medium severity score suggests limited direct confidentiality impact but notable integrity and availability concerns. Organizations relying on GNU Tar for automated extraction without additional sandboxing or validation are at risk. Given the widespread use of GNU Tar in Linux-based environments common in Europe, the vulnerability could affect a broad range of sectors including government, finance, healthcare, and critical infrastructure. The requirement for user interaction (extracting archives) and local access reduces the likelihood of remote exploitation but does not eliminate risk in multi-tenant or shared environments where users can upload archives. The bypass of traversal protections across multiple archives is a subtle attack vector that may evade detection by standard security controls, increasing the risk of unnoticed compromise.
Mitigation Recommendations
1. Immediately audit and restrict automated TAR extraction processes to trusted sources only. 2. Implement strict validation of TAR archive contents before extraction, including checking for symlinks and directory traversal sequences across multiple archives cumulatively. 3. Use extraction tools or options that disable symlink extraction or sandbox extraction paths to prevent files from being written outside designated directories. 4. Monitor critical directories (e.g., ~/.ssh) for unauthorized changes, and implement file integrity monitoring solutions. 5. Apply principle of least privilege to processes performing extraction, ensuring they cannot overwrite critical system or user files. 6. Where possible, upgrade to a patched version of GNU Tar once available. 7. Educate users and administrators about the risks of extracting untrusted archives and enforce policies to prevent manual extraction of suspicious archives. 8. Consider containerizing or isolating extraction environments to limit the impact of potential exploitation.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-04-22T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6871435da83201eaacafb6f2
Added to database: 7/11/2025, 5:01:17 PM
Last enriched: 7/11/2025, 5:16:10 PM
Last updated: 8/1/2025, 10:43:01 AM
Views: 83
Related Threats
CVE-2025-7710: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Brave Brave Conversion Engine (PRO)
CriticalCVE-2025-7500: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in oceanwp Ocean Social Sharing
MediumCVE-2025-8467: SQL Injection in code-projects Wazifa System
MediumCVE-2025-8488: CWE-862 Missing Authorization in brainstormforce Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder)
MediumCVE-2025-6722: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in bitslip6 BitFire Security – Firewall, WAF, Bot/Spam Blocker, Login Security
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.