Home

Description

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.

PUBLISHED Reserved 2025-09-12 | Published 2025-09-24 | Updated 2025-09-24 | Assigner GitHub_M




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-61: UNIX Symbolic Link (Symlink) Following

Product status

>= 3.0.0, < 3.1.1
affected

>= 2.0.0, < 2.1.3
affected

< 1.16.5
affected

References

github.com/...tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v

github.com/...ommit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09

cve.org (CVE-2025-59343)

nvd.nist.gov (CVE-2025-59343)

Download JSON