CVE-2025-5918: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2025-5918) has been identified in the libarchive library, discovered and disclosed on June 9, 2025. The vulnerability affects the file stream handling functionality in bsdtar when files are piped into the application. This flaw is present in libarchive versions prior to 3.8.0 (NVD, Wiz).

The vulnerability is classified as an out-of-bounds read (CWE-125) that occurs when file streams are piped into bsdtar. The issue has been assigned a CVSS v3.1 Base Score of 3.9 (LOW) with the following vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L. The technical root cause involves improper handling of EOF (End of File) conditions, where the application may attempt to read past the end of the file (NVD, GitHub PR).

The out-of-bounds read vulnerability can lead to several unintended consequences, including unpredictable program behavior, memory corruption, or a denial-of-service condition. The impact is particularly relevant when processing file streams through bsdtar (NVD, Wiz).

The vulnerability has been fixed in libarchive version 3.8.0. Users are recommended to upgrade to this version or later, which includes the security fix along with other improvements. The fix specifically addresses the EOF handling issue to prevent reading past the end of file (GitHub Release).