Plattform
nodejs
Komponente
tar-fs
Behoben in
1.16.6
2.0.1
3.0.1
1.16.5
CVE-2025-48387 is a file handling vulnerability discovered in the tar-fs library for Node.js. This vulnerability could allow an attacker to extract malicious files from a specially crafted tar archive, potentially leading to code execution or data compromise. The vulnerability affects versions 3.0.8, 2.1.2, and 1.16.4 and below, and has been patched in versions 3.0.9, 2.1.3, and 1.16.5.
The core of this vulnerability lies in the way tar-fs handles symbolic links during archive extraction. An attacker could craft a malicious tar archive containing carefully constructed symlinks that, when extracted, could lead to traversal outside the intended extraction directory. This could allow the attacker to read, write, or even execute arbitrary files on the system, depending on the permissions of the user running the extraction process. The potential impact is significant, ranging from data breaches to complete system compromise. While the vulnerability description doesn't explicitly mention it, a successful exploit could potentially be chained with other vulnerabilities to achieve privilege escalation.
This vulnerability was reported by Caleb Brown from the Google Open Source Security Team. As of the publication date (2025-06-03), there is no indication of active exploitation or a KEV listing. Public proof-of-concept code is not currently available, but the potential for exploitation exists given the nature of the vulnerability and the ease with which malicious tar archives can be constructed. The CVSS score of 7.5 (HIGH) reflects the potential impact and relative ease of exploitation.
Applications built with Node.js that utilize the tar-fs library to process tar archives are at risk. This includes applications that handle user-uploaded archives or process data from untrusted sources. Specifically, applications relying on older versions of tar-fs (3.0.8 and below) are particularly vulnerable.
• nodejs / server:
npm list tar-fs• nodejs / server:
npm audit tar-fs• nodejs / server:
Check application code for instances where tar archives are extracted using the tar-fs library. Review code for proper validation of archive contents.
disclosure
Exploit-Status
EPSS
0.28% (51% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-48387 is to upgrade to a patched version of tar-fs: 3.0.9, 2.1.3, or 1.16.5. If upgrading is not immediately feasible, a workaround involves utilizing the ignore option within the tar-fs library to explicitly exclude symlinks and other non-file/directory entries during extraction. This prevents the library from attempting to resolve and process these potentially malicious entries. The provided JavaScript code snippet demonstrates how to implement this ignore function. After upgrading, confirm the fix by attempting to extract a known malicious tar archive containing symlinks and verifying that the extraction process does not traverse outside the intended directory.
Actualice la biblioteca tar-fs a la versión 3.0.9, 2.1.3 o 1.16.5, o superior. Esto corrige la vulnerabilidad que permite la escritura fuera del directorio especificado. Como alternativa, utilice la opción 'ignore' para ignorar archivos o directorios que no sean archivos regulares.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-48387 is a HIGH severity vulnerability affecting Node.js tar-fs versions 3.0.8 and below, allowing attackers to extract malicious files from crafted tar archives.
You are affected if you are using Node.js tar-fs versions 3.0.8, 2.1.2, or 1.16.4 or earlier. Upgrade to 3.0.9, 2.1.3, or 1.16.5 to resolve the issue.
Upgrade to version 3.0.9, 2.1.3, or 1.16.5. As a temporary workaround, use the ignore option to filter out non-file/directory entries during extraction.
As of the public disclosure date, there is no evidence of active exploitation, but the potential for exploitation exists.
Refer to the project's repository or relevant security mailing lists for the official advisory. Check the Google Open Source Security Team's reports for more details.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.