Platform
nodejs
Component
tar
Fixed in
2.0.0
CVE-2015-8860 describes an arbitrary file access vulnerability affecting versions of the tar utility prior to 2.0.0. This flaw allows attackers to write files outside the intended extraction directory by exploiting insufficient verification of symbolic links. Successful exploitation can lead to unauthorized file modifications and potential system compromise. Affected versions include all releases before 2.0.0; upgrading to 2.0.0 or later resolves the issue.
The arbitrary file access vulnerability in tar allows an attacker to write files to locations outside the intended extraction directory. This can be exploited to overwrite critical system files, inject malicious code, or gain unauthorized access to sensitive data. An attacker could craft a malicious tar archive containing symbolic links that, when extracted, would write files to arbitrary locations on the system. The potential impact is significant, ranging from data corruption to complete system takeover, depending on the permissions of the user running the tar command and the target system's configuration. This vulnerability shares similarities with other symbolic link exploitation techniques that have been used to bypass security controls and achieve privilege escalation.
CVE-2015-8860 was publicly disclosed in 2017. There is no indication of it being on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease of exploitation. While no active campaigns have been definitively linked to this specific CVE, the availability of PoCs increases the risk of opportunistic exploitation. The vulnerability's simplicity and widespread use of tar make it an attractive target for attackers.
Exploit Status
EPSS
0.37% (59% percentile)
CVSS Vector
The primary mitigation for CVE-2015-8860 is to upgrade to tar version 2.0.0 or later, which includes the necessary fix to properly verify symbolic link targets. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting the extraction directory to a controlled environment or employing file system access controls to limit write permissions. Additionally, carefully scrutinize any tar archives received from untrusted sources before extraction. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the tar utility itself. After upgrading, confirm the fix by attempting to extract a tar archive containing symbolic links pointing outside the intended extraction directory; the extraction should fail with an error indicating invalid symbolic link target.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2015-8860 is a vulnerability in tar versions before 2.0.0 that allows attackers to write files outside the intended extraction directory by exploiting symbolic link verification issues.
You are affected if you are using a version of tar older than 2.0.0. Check your tar version using tar --version.
Upgrade to tar version 2.0.0 or later to resolve this vulnerability. This fix properly validates symbolic link targets during extraction.
While no active campaigns have been definitively linked, public proof-of-concept exploits exist, increasing the risk of opportunistic exploitation.
Refer to the GNU tar project website for information and updates related to this vulnerability: https://www.gnu.org/software/tar/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.