CVE-2025-48387: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2025-48387) affects tar-fs, a package that provides filesystem bindings for tar-stream. The issue was discovered in versions prior to 3.0.9, 2.1.3, and 1.16.5, where the extract functionality could write files outside the specified directory when processing a specially crafted tarball. The vulnerability was disclosed on June 2, 2025, and was reported by Caleb Brown from Google Open Source Security Team (GitHub Advisory).

The vulnerability is classified as a Path Traversal issue (CWE-22) that allows improper limitation of a pathname to a restricted directory. The issue received a CVSS 4.0 Base Score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N. The vulnerability specifically affects the extract functionality in tar-fs, where the validation of extraction paths was insufficient, potentially allowing writes outside the intended directory (NVD).

When exploited, this vulnerability allows an attacker to write files outside the intended extraction directory, potentially leading to unauthorized file system access and modifications. This could result in data exposure, system compromise, or other security implications depending on the context in which tar-fs is being used (GitHub Advisory).

The vulnerability has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a temporary workaround, users can implement the ignore option to ignore non-files/directories using the following pattern: ignore (_, header) { return header.type ! 'file' && header.type ! 'directory' } (GitHub Advisory).