Plattform
nodejs
Komponente
tar-fs
Behoben in
3.0.1
2.0.1
1.16.6
3.1.1
CVE-2025-59343 is a directory traversal vulnerability discovered in the tar-fs component. This flaw could allow an attacker to access files and directories outside the intended extraction path, potentially leading to sensitive data exposure. The vulnerability affects versions 3.1.0, 2.1.3, and 1.16.5 and earlier. Patches are available for versions 3.1.1, 2.1.4, and 1.16.6.
The vulnerability stems from how tar-fs handles symbolic links during file extraction or archiving. An attacker could craft a malicious tar archive containing specially designed symlinks. When this archive is processed by a vulnerable version of tar-fs, the attacker might be able to trick the system into accessing or modifying files outside of the intended scope. This could lead to unauthorized data disclosure, modification, or even execution of arbitrary code, depending on the system's permissions and the attacker's ability to control the target environment. The potential blast radius is significant, particularly in environments where tar-fs is used to process untrusted archives.
This vulnerability was reported by Mapta / BugBunny_ai and publicly disclosed on 2025-09-24. No known public proof-of-concept exploits are currently available, but the potential for exploitation exists given the nature of the vulnerability. The vulnerability's impact is amplified by the widespread use of tar-fs in various Node.js applications and environments.
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
The primary mitigation is to upgrade to a patched version of tar-fs (3.1.1, 2.1.4, or 1.16.6). If upgrading is not immediately feasible, a workaround involves utilizing the ignore option within tar-fs to explicitly exclude symlinks and other non-file/directory entries during processing. This prevents the library from attempting to resolve or handle these potentially malicious elements. Implement input validation to ensure that archives being processed are from trusted sources. After upgrading, confirm the fix by attempting to extract a known malicious archive containing symlinks and verifying that the expected error is thrown instead of unauthorized file access.
Actualice la biblioteca tar-fs a la versión 3.1.1, 2.1.4 o 1.16.6, o superior. Esto corrige la vulnerabilidad de omisión de validación de enlaces simbólicos. Como alternativa, utilice la opción `ignore` para excluir archivos y directorios no esenciales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Versions prior to 3.1.1, including 3.1.0, 2.1.3, and 1.16.5, are vulnerable to CVE-2025-59343.
No, the 'ignore' option is a temporary solution. The permanent solution is to upgrade to a patched version (3.1.1, 2.1.4, or 1.16.6).
Check the version of tar-fs you are using. If it is older than the patched versions, it is vulnerable.
Not patching this vulnerability could allow an attacker to execute malicious code, modify data, or compromise system security.
You can find more information about CVE-2025-59343 in vulnerability databases and security advisories from tar-fs providers.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.