GHSA-8cj5-5rvv-wf4v

Source

https://github.com/advisories/GHSA-8cj5-5rvv-wf4v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-8cj5-5rvv-wf4v/GHSA-8cj5-5rvv-wf4v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8cj5-5rvv-wf4v

Aliases

CVE-2025-48387

Related

Published

2025-06-03T06:14:25Z

Modified

2025-06-03T06:42:15.072045Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

tar-fs can extract outside the specified dir with a specific tarball

Details

Impact

v3.0.8, v2.1.2, v1.16.4 and below

Patches

Has been patched in 3.0.9, 2.1.3, and 1.16.5

Workarounds

You can use the ignore option to ignore non files/directories.

  ignore (_, header) {
    // pass files & directories, ignore e.g. symlinks
    return header.type !== 'file' && header.type !== 'directory'
  }

Credit

Thank you Caleb Brown from Google Open Source Security Team for reporting this in detail.

Database specific

{
    "nvd_published_at": "2025-06-02T20:15:22Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-03T06:14:25Z"
}

References

Affected packages

npm / tar-fs

Package

Name: tar-fs; View open source insights on deps.dev
Purl: pkg:npm/tar-fs

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.16.5

npm / tar-fs

Package

Name: tar-fs; View open source insights on deps.dev
Purl: pkg:npm/tar-fs

Affected ranges

Type: SEMVER
Events: Introduced

2.0.0

Fixed

2.1.3

npm / tar-fs

Package

Name: tar-fs; View open source insights on deps.dev
Purl: pkg:npm/tar-fs

Affected ranges

Type: SEMVER
Events: Introduced

3.0.0

Fixed

3.0.9