CVE-2025-46394: 
Linux Debian vulnerability analysis and mitigation

In BusyBox through version 1.37.0, a vulnerability has been identified where TAR archive filenames can be hidden from directory listings through the use of terminal escape sequences. This vulnerability was discovered and disclosed on April 23, 2025 (NVD, OSS Security).

The vulnerability affects the tar utility in BusyBox and is classified under CWE-451 (User Interface Misrepresentation of Critical Information). It has been assigned a CVSS v3.1 score of 3.2 (LOW) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N. The issue stems from the tar tool's failure to properly handle terminal escape sequences in filenames when listing or unpacking archives (NVD).

When exploited, this vulnerability allows malicious files containing filenames with terminal escapes to mask or modify the visibility of other files in the archive during listing operations. This could potentially mislead users about the actual contents of tar archives, especially when running busybox tar or cpio from a terminal (OSS Security).

A patch has been posted to address this vulnerability. The fix involves preventing unprintable bytes, including terminal escapes, from being printed when listing tar file contents in a terminal. The patch has been submitted to the BusyBox mailing list (OSS Security).