CVE-2025-48387

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

Database specific

{
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Git / github.com/mafintosh/tar-fs

Affected ranges

Type

GIT

Repo

https://github.com/mafintosh/tar-fs

Events

Introduced

Fixed

3c6eddb6008d14f4ca83a439dd432263d29ecb0f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.16.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/mafintosh/tar-fs

Events

Introduced

0f54a78bcc8735c4257177fd004c2f9e55c588bb

Fixed

4b7e8688a54268b7c3268848504167635050aa10

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.1.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/mafintosh/tar-fs

Events

Introduced

6d66143dc5e40480dd6135a4453f6da26a5602e0

Fixed

2ceedf4cf807e89a071ebd585291aa785c980829

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.9"
        }
    ]
}

Affected versions

v0.*

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.7

v0.1.8

v0.2.0

v0.2.1

v0.2.2

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.4.0

v0.4.1

v0.5.0

v0.5.1

v0.5.2

v1.*

v1.0.0

v1.1.0

v1.10.0

v1.11.0

v1.11.1

v1.12.0

v1.13.0

v1.13.1

v1.13.2

v1.14.0

v1.15.0

v1.15.1

v1.15.2

v1.15.3

v1.16.0

v1.16.1

v1.16.2

v1.16.3

v1.16.4

v1.2.0

v1.3.0

v1.4.0

v1.4.1

v1.4.2

v1.5.0

v1.5.1

v1.6.0

v1.7.0

v1.8.0

v1.8.1

v1.9.0

v2.*

v2.0.0

v2.0.1

v2.1.0

v2.1.1

v2.1.2

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8