Vulnerability DatabaseCVE-2025-48387

CVE-2025-48387:
JavaScript vulnerability analysis and mitigation

Overview

tar-fs, a package that provides filesystem bindings for tar-stream, was found to contain a critical vulnerability identified as CVE-2025-48387. The vulnerability affects versions prior to 3.0.9, 2.1.3, and 1.16.5, where an extract operation can write outside the specified directory with a specific tarball. The issue was discovered and reported by Caleb Brown from Google Open Source Security Team (GitHub Advisory).

Technical details

The vulnerability is classified as a Path Traversal issue (CWE-22), involving improper limitation of a pathname to a restricted directory. The severity is rated as HIGH with a CVSS 4.0 Base Score of 8.7 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N) (NVD).

Impact

The vulnerability allows an attacker to write files outside the intended directory during tar extraction operations, potentially leading to unauthorized file system access and modifications (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a temporary workaround, users can implement the ignore option to ignore non-files/directories. The recommended workaround code is to use: ignore (_, header) { return header.type ! 'file' && header.type ! 'directory' } (GitHub Advisory).