CVE-2025-45582: CWE-24 Path Traversal: '../filedir' in GNU Tar
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.
AI Analysis
Technical Summary
CVE-2025-45582 is a medium-severity path traversal vulnerability affecting GNU Tar versions up to 1.35. The vulnerability arises from a two-step extraction process involving crafted TAR archives that bypass the usual protections against directory traversal attacks. Normally, GNU Tar blocks extraction of files with member names containing '..' to prevent overwriting critical system files outside the intended extraction directory. However, this vulnerability exploits the scenario where two separate TAR archives are extracted sequentially into the same directory. The first archive contains a symbolic link entry (e.g., 'x -> ../../../../../home/victim/.ssh') that points to a critical directory outside the extraction root. The second archive contains a file path starting with the symlink name followed by a critical file name (e.g., 'x/authorized_keys'). When extracted, the second archive's file path follows the symlink and overwrites the critical file in the victim's home directory. This bypasses the single-archive traversal check because each archive individually appears safe, but combined they enable overwriting sensitive files. This vulnerability is particularly relevant for server applications or automated processes that extract multiple user-supplied TAR archives into the same directory without resetting or isolating the extraction environment. It also affects software installation processes that run 'tar xf' multiple times on untrusted tarballs, such as when installing dependencies from unverified sources. The vulnerability does not require privileges but does require user interaction (extracting archives). The CVSS 3.1 score is 4.1 (medium), reflecting local attack vector, high attack complexity, no privileges required, user interaction required, and limited impact on integrity and availability. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems that automatically extract multiple TAR archives from untrusted or semi-trusted sources, such as CI/CD pipelines, automated deployment servers, or package management systems that handle tarballs directly. Successful exploitation can lead to unauthorized overwriting of critical files, such as SSH authorized_keys, enabling attackers to gain persistent unauthorized access or disrupt services. This can compromise system integrity and availability, potentially leading to lateral movement within networks or data breaches. Organizations relying on GNU Tar for software installation or automated extraction without strict isolation or validation are at risk. The impact is heightened in environments where multiple TAR extractions occur in the same directory without cleaning or sandboxing, a practice sometimes recommended by third-party guides contrary to official GNU Tar security advice. While the vulnerability requires user interaction (extracting archives), automated processes that handle user-supplied archives without validation increase exposure. The medium severity score reflects limited confidentiality impact but notable integrity and availability concerns. European organizations with critical infrastructure, government, or financial sectors using GNU Tar in automated workflows should be particularly vigilant.
Mitigation Recommendations
1. Avoid extracting multiple TAR archives sequentially into the same directory without cleaning or isolating the extraction environment. Use a fresh, empty directory for each extraction to prevent symlink reuse. 2. Upgrade GNU Tar to a patched version beyond 1.35 once available, as the vulnerability is specific to versions through 1.35. 3. Implement strict validation of TAR archives before extraction, including scanning for symbolic links and suspicious pathnames that could lead to directory traversal. 4. Use containerization or sandboxing techniques to isolate extraction processes, limiting potential damage from malicious archives. 5. For automated systems, enforce policies that reject or quarantine TAR archives containing symlinks or unusual path structures. 6. Educate system administrators and developers about the risks of running 'tar xf' multiple times into the same directory and encourage adherence to official GNU Tar security guidelines. 7. Monitor critical files such as SSH authorized_keys for unexpected changes and implement file integrity monitoring. 8. Where possible, replace TAR extraction with more secure package management tools that verify package integrity and authenticity.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium
CVE-2025-45582: CWE-24 Path Traversal: '../filedir' in GNU Tar
Description
GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.
AI-Powered Analysis
Technical Analysis
CVE-2025-45582 is a medium-severity path traversal vulnerability affecting GNU Tar versions up to 1.35. The vulnerability arises from a two-step extraction process involving crafted TAR archives that bypass the usual protections against directory traversal attacks. Normally, GNU Tar blocks extraction of files with member names containing '..' to prevent overwriting critical system files outside the intended extraction directory. However, this vulnerability exploits the scenario where two separate TAR archives are extracted sequentially into the same directory. The first archive contains a symbolic link entry (e.g., 'x -> ../../../../../home/victim/.ssh') that points to a critical directory outside the extraction root. The second archive contains a file path starting with the symlink name followed by a critical file name (e.g., 'x/authorized_keys'). When extracted, the second archive's file path follows the symlink and overwrites the critical file in the victim's home directory. This bypasses the single-archive traversal check because each archive individually appears safe, but combined they enable overwriting sensitive files. This vulnerability is particularly relevant for server applications or automated processes that extract multiple user-supplied TAR archives into the same directory without resetting or isolating the extraction environment. It also affects software installation processes that run 'tar xf' multiple times on untrusted tarballs, such as when installing dependencies from unverified sources. The vulnerability does not require privileges but does require user interaction (extracting archives). The CVSS 3.1 score is 4.1 (medium), reflecting local attack vector, high attack complexity, no privileges required, user interaction required, and limited impact on integrity and availability. No known exploits are reported in the wild as of now.
Potential Impact
For European organizations, this vulnerability poses a risk primarily to systems that automatically extract multiple TAR archives from untrusted or semi-trusted sources, such as CI/CD pipelines, automated deployment servers, or package management systems that handle tarballs directly. Successful exploitation can lead to unauthorized overwriting of critical files, such as SSH authorized_keys, enabling attackers to gain persistent unauthorized access or disrupt services. This can compromise system integrity and availability, potentially leading to lateral movement within networks or data breaches. Organizations relying on GNU Tar for software installation or automated extraction without strict isolation or validation are at risk. The impact is heightened in environments where multiple TAR extractions occur in the same directory without cleaning or sandboxing, a practice sometimes recommended by third-party guides contrary to official GNU Tar security advice. While the vulnerability requires user interaction (extracting archives), automated processes that handle user-supplied archives without validation increase exposure. The medium severity score reflects limited confidentiality impact but notable integrity and availability concerns. European organizations with critical infrastructure, government, or financial sectors using GNU Tar in automated workflows should be particularly vigilant.
Mitigation Recommendations
1. Avoid extracting multiple TAR archives sequentially into the same directory without cleaning or isolating the extraction environment. Use a fresh, empty directory for each extraction to prevent symlink reuse. 2. Upgrade GNU Tar to a patched version beyond 1.35 once available, as the vulnerability is specific to versions through 1.35. 3. Implement strict validation of TAR archives before extraction, including scanning for symbolic links and suspicious pathnames that could lead to directory traversal. 4. Use containerization or sandboxing techniques to isolate extraction processes, limiting potential damage from malicious archives. 5. For automated systems, enforce policies that reject or quarantine TAR archives containing symlinks or unusual path structures. 6. Educate system administrators and developers about the risks of running 'tar xf' multiple times into the same directory and encourage adherence to official GNU Tar security guidelines. 7. Monitor critical files such as SSH authorized_keys for unexpected changes and implement file integrity monitoring. 8. Where possible, replace TAR extraction with more secure package management tools that verify package integrity and authenticity.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2025-04-22T00:00:00.000Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6871435da83201eaacafb6f2
Added to database: 7/11/2025, 5:01:17 PM
Last enriched: 8/19/2025, 1:15:37 AM
Last updated: 9/17/2025, 3:21:23 AM
Views: 184
Related Threats
CVE-2025-59307: Unquoted search path or element in Century Corporation RAID Manager
MediumCVE-2025-10589: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in N-Partner N-Reporter
HighCVE-2025-9818: CWE-428 Unquoted Search Path or Element in OMRON SOCIAL SOLUTIONS CO., Ltd. PowerAttendant Standard Edition
MediumCVE-2025-59518: CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in lemonldap-ng LemonLDAP::NG
HighCVE-2025-58116: Improper neutralization of special elements used in an OS command ('OS Command Injection') in I-O DATA DEVICE, INC. WN-7D36QR
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.