Vulnerability DatabaseCVE-2025-25724

CVE-2025-25724:
NixOS vulnerability analysis and mitigation

Overview

CVE-2025-25724 is a vulnerability discovered in libarchive through version 3.7.7. The vulnerability was disclosed on March 1, 2025, affecting the listitemverbose function in tar/util.c. The issue stems from an unchecked strftime return value, which could potentially lead to security implications when processing TAR archives (NVD).

Technical details

The vulnerability is classified as CWE-252 (Unchecked Return Value) with a CVSS v3.1 Base Score of 4.0 (MEDIUM). The CVSS vector string is CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L, indicating local access vector, high attack complexity, no privileges required, and no user interaction needed. The technical issue occurs specifically when processing TAR archives with a verbose value of 2, where a 100-byte buffer may not be sufficient for custom locales (NVD, Red Hat).

Impact

The vulnerability can lead to a denial of service condition or other unspecified impacts when processing specially crafted TAR archives. The impact is particularly relevant when using custom locales where the 100-byte buffer limitation becomes a security concern (NVD, Snyk).

Mitigation and workarounds

As of the initial disclosure, there is no fixed version available for affected systems. Red Hat Enterprise Linux 9 has marked this vulnerability as 'Fix deferred'. The vulnerability affects multiple versions of libarchive in various distributions, including Debian bullseye, bookworm, and sid (Debian Tracker, Red Hat).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

7.8

Score

Published March 2, 2025

Severity HIGH

CNA Score 4.0

Affected Technologies

NixOS
Alma Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 1.9

Exploitation Probability (EPSS) N/A

Affected packages and libraries

bsdcpio-debuginfo
bsdtar-debuginfo

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 9 Severity MEDIUMHas FixAdded at: Jul 01, 2025
Alpine Security Tracker
- Alpine 3.18, 3.19 Severity HIGHHas FixAdded at: Apr 09, 2025
- Alpine 3.20, 3.21, edge Severity HIGHHas FixAdded at: Apr 08, 2025
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
CBL-Mariner
- CBL-Mariner 2.0 Severity MEDIUMHas FixAdded at: Mar 23, 2025
- CBL-Mariner 3.0 Severity MEDIUMHas FixAdded at: May 04, 2025
Chainguard
- Chainguard Has FixAdded at: Mar 19, 2025
Debian Security Tracker
- Debian 11, 12 Severity LOWNo FixAdded at: Mar 03, 2025
- Debian 13 Severity LOWHas FixAdded at: Mar 03, 2025
- Debian 14 Severity LOWNo FixAdded at: Aug 10, 2025
Homebrew
- Homebrew Severity HIGHNo FixAdded at: Jul 18, 2025
Nix
- Nix Severity HIGHNo FixAdded at: Jul 18, 2025
Photon Security Advisory
- Photon 4.0, 5.0 Severity HIGHHas FixAdded at: Mar 23, 2025
Red Hat Errata
- Red Hat 6 Severity MEDIUMNo FixAdded at: Mar 03, 2025
- Red Hat 7, 8 Severity MEDIUMNo FixAdded at: Mar 04, 2025
- Red Hat 9 Severity MEDIUMHas FixAdded at: Mar 04, 2025
- Red Hat 10 Severity MEDIUMHas FixAdded at: May 23, 2025
Ubuntu Security Tracker
- Ubuntu 20.04, 22.04, 24.04, 24.10 Severity MEDIUMHas FixAdded at: Apr 24, 2025
- Ubuntu 25.04 Severity MEDIUMHas FixAdded at: May 08, 2025
Wolfi
- Wolfi Has FixAdded at: Mar 19, 2025