CVE-2025-60753 is a vulnerability identified in the libarchive project's bsdtar utility, specifically in versions before 3.8.1. The issue exists in the apply_substitution function within tar/subst.c, which processes -s substitution rules used to rewrite file names during archive extraction. When processing specially crafted substitution rules, the function can trigger unbounded memory allocation, leading to excessive consumption of system memory. This uncontrolled allocation can cause the process to crash due to an Out-of-Memory (OOM) condition, effectively resulting in a denial of service (DoS). The vulnerability is classified under CWE-835 (Loop with Unreachable Exit Condition) and CWE-400 (Uncontrolled Resource Consumption). The CVSS v3.1 base score is 5.5 (medium), with vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating that exploitation requires local access and user interaction but no privileges or authentication. The impact is limited to availability, with no confidentiality or integrity compromise. No public exploits have been reported to date. The vulnerability affects environments where bsdtar is used to process archives with substitution rules, which may include automated backup, extraction, or deployment systems. Since bsdtar is widely used in Unix-like systems, the vulnerability could affect a broad range of applications and services if unpatched.

For European organizations, the primary impact of CVE-2025-60753 is the potential for denial of service due to bsdtar crashing from excessive memory allocation. This can disrupt automated processes that rely on archive extraction, such as software deployment pipelines, backup restoration, or data ingestion workflows. Organizations processing untrusted or user-supplied tar archives with substitution rules are particularly at risk. While the vulnerability does not allow data theft or modification, service interruptions can affect operational continuity and availability of critical systems. In sectors like finance, healthcare, and government, where uptime and data processing reliability are crucial, such disruptions could have significant operational and reputational consequences. Additionally, if exploited in multi-tenant environments or shared infrastructure, it could lead to broader service degradation. However, the requirement for local access and user interaction limits remote exploitation risks, reducing the threat surface for many organizations.

To mitigate CVE-2025-60753, European organizations should promptly upgrade libarchive to version 3.8.1 or later, where the vulnerability has been addressed. Until patches are applied, restrict the use of bsdtar for processing archives from untrusted sources, especially those employing -s substitution rules. Implement strict input validation and sandboxing for archive extraction processes to limit resource consumption and isolate potential crashes. Monitoring system memory usage during extraction tasks can help detect abnormal behavior early. Additionally, review and harden user permissions to prevent unauthorized local access that could trigger exploitation. For automated workflows, consider alternative extraction tools that are not affected by this vulnerability or disable substitution rule processing if not required. Regularly audit and update third-party libraries to maintain security hygiene.