CVE-2025-45582: 
NixOS vulnerability analysis and mitigation

GNU Tar through version 1.35 contains a directory traversal vulnerability that allows file overwrites through a two-step process when extracting crafted TAR archives. The vulnerability was discovered on July 11, 2025, and affects all versions of GNU Tar up to and including version 1.35 (NVD).

The vulnerability exploits a two-step process to bypass the built-in protection mechanism that normally blocks directory traversal attempts. First, the victim must extract an archive containing a '../' symlink to a critical directory. Second, the victim must extract another archive containing a critical file, specified via a relative pathname that begins with the symlink name and ends with the critical file's name. The extraction process follows the symlink and overwrites the critical file, bypassing the 'Member name contains ..' protection (NVD, Snyk). The vulnerability has been assigned a CVSS v3.1 score of 4.1 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:L (NVD).

This vulnerability can affect server applications that automatically extract user-supplied TAR archives and rely on the blocking of traversal attempts. It also impacts software installation processes where 'tar xf' is executed multiple times, such as when installing packages with dependencies set up as untrusted tarballs instead of official packages. For example, an attacker could craft archives to overwrite sensitive files like ~/.ssh/authorized_keys (NVD).

No official patch has been released yet as this is a newly discovered vulnerability. Users are advised to exercise caution when extracting untrusted tar archives, especially in automated processes or when running tar multiple times on related archives (NVD).