CVE-2025-69874 is a critical path traversal vulnerability affecting nanotar, a tar archive extraction library, in versions up to 0.2.0. The flaw resides in the parseTar() and parseTarGzip() functions, which fail to properly sanitize file paths within tar archives. An attacker can craft a malicious tar archive containing path traversal sequences (e.g., '../') that cause files to be extracted outside the intended directory. This arbitrary file write capability can overwrite critical system files or place malicious payloads in sensitive locations, potentially leading to full system compromise. The vulnerability is remotely exploitable without authentication or user interaction, as it only requires the victim system to process a malicious tar archive. The CVSS v3.1 base score is 9.8 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. No patches or fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. This vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

The impact of CVE-2025-69874 is severe for organizations worldwide that use nanotar for tar archive extraction, especially in automated or unattended environments. Successful exploitation allows attackers to overwrite arbitrary files, which can lead to remote code execution, privilege escalation, data corruption, or denial of service. Systems relying on nanotar for processing untrusted tar archives are at risk of compromise, potentially affecting servers, development environments, CI/CD pipelines, and containerized applications. The vulnerability undermines system confidentiality by enabling unauthorized file writes, integrity by allowing modification of critical files, and availability by potentially disrupting system operations. Given the remote, unauthenticated nature of the exploit, attackers can leverage this vulnerability as an initial entry vector or lateral movement tool within networks.

To mitigate CVE-2025-69874, organizations should immediately audit all uses of nanotar in their environments and avoid processing untrusted tar archives with vulnerable versions. Until an official patch is released, implement strict input validation and sandboxing around tar extraction processes. Employ file system monitoring to detect unexpected file writes outside designated directories. Use containerization or chroot jails to isolate extraction operations, limiting the impact of potential path traversal. Consider replacing nanotar with alternative, actively maintained libraries that properly sanitize archive paths. Additionally, implement network-level controls to restrict access to services that process tar archives and monitor logs for suspicious extraction activities. Stay updated on vendor advisories for patches or updates addressing this vulnerability.