Skip to main content

CVE-2025-48387: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in mafintosh tar-fs

High
VulnerabilityCVE-2025-48387cvecve-2025-48387cwe-22
Published: Mon Jun 02 2025 (06/02/2025, 19:20:18 UTC)
Source: CVE Database V5
Vendor/Project: mafintosh
Product: tar-fs

Description

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

AI-Powered Analysis

AILast updated: 08/15/2025, 00:39:03 UTC

Technical Analysis

CVE-2025-48387 is a high-severity path traversal vulnerability (CWE-22) found in the 'tar-fs' package, which provides filesystem bindings for the 'tar-stream' module. This vulnerability affects multiple versions of tar-fs prior to 1.16.5, versions from 2.0.0 up to but not including 2.1.3, and versions from 3.0.0 up to but not including 3.0.9. The core issue arises during the extraction of tarball archives: a specially crafted tarball can cause the extraction process to write files outside the intended target directory. This improper limitation of pathname traversal allows an attacker to overwrite arbitrary files on the filesystem, potentially leading to unauthorized file modification or code execution depending on the context in which tar-fs is used. The vulnerability requires no authentication or user interaction and can be exploited remotely if an attacker can supply a malicious tarball to a vulnerable system. The CVSS v4.0 score of 8.7 reflects the critical nature of this vulnerability, with network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on integrity due to arbitrary file writes. The issue has been patched in versions 1.16.5, 2.1.3, and 3.0.9. As a temporary workaround, users can configure the 'ignore' option to skip non-file and non-directory entries during extraction, reducing the risk of exploitation. No known exploits have been reported in the wild as of the publication date.

Potential Impact

For European organizations, this vulnerability poses a significant risk, especially for those relying on the tar-fs package in their software supply chain, deployment pipelines, or any automated extraction of tar archives. Exploitation could lead to unauthorized modification or overwriting of critical system or application files, potentially resulting in system compromise, data integrity loss, or service disruption. This is particularly concerning for sectors with stringent data protection requirements such as finance, healthcare, and government institutions. The ability to write files outside the intended directory could be leveraged to implant backdoors, escalate privileges, or disrupt operations. Additionally, since tar-fs is a component often used in Node.js environments, organizations using containerization, CI/CD pipelines, or cloud-native applications may be at increased risk. The lack of required authentication and user interaction means that any exposed service or process accepting tarballs could be targeted remotely, increasing the attack surface. The absence of known exploits in the wild suggests that proactive patching can effectively mitigate risk before widespread exploitation occurs.

Mitigation Recommendations

European organizations should immediately identify all instances of tar-fs usage within their environments, including direct dependencies and transitive dependencies in Node.js projects. Upgrading to the patched versions 1.16.5, 2.1.3, or 3.0.9 depending on the version series in use is the most effective mitigation. For environments where immediate upgrade is not feasible, configure the extraction process to use the 'ignore' option to skip non-file and non-directory entries, thereby reducing exposure to malicious tarball contents. Additionally, implement strict input validation and sandboxing for any service or process that accepts tarball uploads or extraction requests. Employ file system monitoring to detect unauthorized file writes outside expected directories. Incorporate vulnerability scanning tools that can detect vulnerable tar-fs versions in software inventories. Finally, review and tighten access controls and permissions on directories used for extraction to limit the potential impact of any successful exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
GitHub_M
Date Reserved
2025-05-19T15:46:00.397Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 683dfb4f182aa0cae252782f

Added to database: 6/2/2025, 7:28:15 PM

Last enriched: 8/15/2025, 12:39:03 AM

Last updated: 8/17/2025, 12:34:14 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats