Platform
nodejs
Component
tar-fs
Fixed in
1.16.6
2.0.1
3.0.1
1.16.5
CVE-2025-48387 is a file handling vulnerability discovered in the tar-fs library for Node.js. This vulnerability could allow an attacker to extract malicious files from a specially crafted tar archive, potentially leading to code execution or data compromise. The vulnerability affects versions 3.0.8, 2.1.2, and 1.16.4 and below, and has been patched in versions 3.0.9, 2.1.3, and 1.16.5.
An attacker could exploit this vulnerability by crafting a malicious tar archive containing specially designed entries. When the tar-fs library processes this archive, it could inadvertently extract and execute malicious code or expose sensitive data. The potential impact ranges from denial-of-service to remote code execution, depending on the attacker's ability to control the extracted content and the environment in which it runs. This vulnerability highlights the importance of carefully validating all external data, especially archive formats like tar, before processing them within a Node.js application.
This vulnerability was reported by Caleb Brown from the Google Open Source Security Team. As of the public disclosure date (2025-06-03), there is no indication of active exploitation or KEV listing. Public proof-of-concept code is not currently available, but the potential for exploitation exists given the nature of the vulnerability and the widespread use of Node.js in various applications.
Exploit Status
EPSS
0.28% (51% percentile)
CISA SSVC
The primary mitigation is to upgrade to a patched version of tar-fs (3.0.9, 2.1.3, or 1.16.5). If upgrading is not immediately feasible, a workaround involves using the ignore option to filter out non-file and non-directory entries during extraction. This prevents the processing of potentially malicious symbolic links or other special file types. Implement this workaround by adding a function that checks the header type and ignores anything that isn't a file or directory. After upgrading, verify the fix by attempting to extract a known malicious tar archive and confirming that it is handled safely.
Update the tar-fs library to version 3.0.9, 2.1.3, or 1.16.5, or higher. This corrects the vulnerability that allows writing outside the specified directory. Alternatively, use the 'ignore' option to ignore non-regular files or directories.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-48387 is a HIGH severity vulnerability affecting Node.js tar-fs versions 3.0.8 and below, allowing attackers to extract malicious files from crafted tar archives.
You are affected if you are using Node.js tar-fs versions 3.0.8, 2.1.2, or 1.16.4 or earlier. Upgrade to 3.0.9, 2.1.3, or 1.16.5 to resolve the issue.
Upgrade to version 3.0.9, 2.1.3, or 1.16.5. As a temporary workaround, use the ignore option to filter out non-file/directory entries during extraction.
As of the public disclosure date, there is no evidence of active exploitation, but the potential for exploitation exists.
Refer to the project's repository or relevant security mailing lists for the official advisory. Check the Google Open Source Security Team's reports for more details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.