CVE-2025-5917: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-5917) was discovered in the libarchive library, disclosed on May 20, 2025. The vulnerability involves an 'off-by-one' miscalculation when handling prefixes and suffixes for file names in the buildustarentryname() function at archivewritesetformat_pax.c (NVD, Wiz Report).

The vulnerability is classified as a low severity issue with a CVSS v3.1 base score of 2.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L). The flaw is categorized as CWE-787 (Out-of-bounds Write) and involves a one-byte write overflow that occurs due to incorrect calculations for the suffix and prefix when handling file names. The calculations for the suffix and prefix can increment the endpoint for a trailing slash, causing the limits used to be one lower than the maximum number of bytes (Github PR).

While the overflow is only one byte in size, it can corrupt adjacent memory, potentially leading to unpredictable program behavior and crashes. In specific circumstances, this vulnerability could be leveraged as a building block for more sophisticated exploitation (NVD, Wiz Report).

The vulnerability has been fixed in libarchive version 3.8.0, released on May 20, 2025. Users are advised to upgrade to this version or later, which includes this and other important security fixes (Github Release, Wiz Report).