CVE-2025-60753

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-60753
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60753.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-60753
Downstream
Published
2025-11-05T16:15:40.430Z
Modified
2026-03-13T03:40:10.657045Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).

References

Affected packages

Git / github.com/libarchive/libarchive

Affected ranges

Type
GIT
Repo
https://github.com/libarchive/libarchive
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
9525f90ca4bd14c7b335e2f8c84a4607b0af6bdf
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.8.1"
        }
    ]
}

Affected versions

v2.*
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v3.*
v3.0.0a
v3.0.1b
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.1
v3.1.2
v3.1.900a
v3.1.901a
v3.2.0
v3.2.1
v3.2.2
v3.3.0
v3.3.1
v3.3.2
v3.3.3
v3.4.0
v3.4.1
v3.4.2
v3.4.3
v3.5.0
v3.5.1
v3.5.2
v3.6.0
v3.6.1
v3.6.2
v3.7.0
v3.7.1
v3.7.2
v3.7.3
v3.7.4
v3.7.5
v3.8.0
v3.8.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-60753.json"