CVE-2025-60753 is a vulnerability identified in the libarchive project's bsdtar utility, specifically in versions before 3.8.1. The issue resides in the apply_substitution function within tar/subst.c, which processes the -s substitution rules used to rewrite file names during archive extraction. When processing specially crafted substitution rules, the function can trigger unbounded memory allocation, leading to an out-of-memory condition. This results in a denial of service (DoS) by crashing the bsdtar process. The vulnerability is classified under CWE-835 (Loop with Unreachable Exit Condition) and CWE-400 (Uncontrolled Resource Consumption). Exploitation requires local access and user interaction, as the attacker must supply a crafted tar archive with malicious -s rules to a vulnerable bsdtar instance. There is no impact on confidentiality or integrity, only availability. No public exploits have been reported to date. The CVSS v3.1 base score is 5.5, indicating medium severity, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), and impact limited to availability (A:H). The vulnerability was reserved on 2025-09-26 and published on 2025-11-05. No official patches or mitigation links were provided in the source data, but upgrading to libarchive 3.8.1 or later is expected to resolve the issue.

For European organizations, the primary impact of CVE-2025-60753 is the potential for denial of service on systems using vulnerable versions of bsdtar when processing malicious tar archives with crafted substitution rules. This can disrupt automated backup, deployment, or extraction workflows that rely on bsdtar, potentially causing operational downtime or delays. Since the attack requires local access and user interaction, the risk is higher in environments where untrusted users can execute commands or supply archives, such as shared hosting, developer workstations, or CI/CD pipelines. There is no direct risk to data confidentiality or integrity, but availability interruptions can affect business continuity. Organizations heavily reliant on Linux-based infrastructure and open-source tools, common in European IT environments, may face increased exposure. The absence of known exploits reduces immediate risk, but the medium severity score warrants timely remediation to prevent potential abuse.

1. Upgrade libarchive to version 3.8.1 or later as soon as it becomes available to ensure the vulnerability is patched. 2. Restrict access to bsdtar usage by limiting user permissions and controlling who can execute archive extraction commands, especially with the -s option. 3. Implement input validation and scanning of tar archives before processing to detect and block suspicious or malformed substitution rules. 4. Employ application whitelisting or sandboxing to isolate archive extraction processes, minimizing impact in case of exploitation. 5. Monitor system logs for crashes or abnormal memory usage related to bsdtar executions to detect potential exploitation attempts. 6. Educate users and administrators about the risks of processing untrusted archives and the importance of applying security updates promptly. 7. In environments where upgrading is delayed, consider disabling or restricting the use of the -s substitution feature if feasible.