CVE-2025-59343: 
JavaScript vulnerability analysis and mitigation

tar-fs, a package that provides filesystem bindings for tar-stream, has been identified with a symlink validation bypass vulnerability (CVE-2025-59343). The vulnerability affects versions prior to 3.1.1, 2.1.3, and 1.16.5, where attackers could bypass symlink validation if the destination directory is predictable with a specific tarball. The issue was discovered and reported by Mapta / BugBunny_ai and was disclosed on September 24, 2025 (GitHub Advisory).

The vulnerability stems from an insufficient path validation mechanism in the tar-fs package. The issue specifically relates to how the package validates paths when handling symbolic links. The vulnerability has received a CVSS v4.0 Base Score of 8.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N. The weakness has been categorized under CWE-22 (Path Traversal) and CWE-61 (UNIX Symbolic Link Following) (NVD).

The vulnerability could allow attackers to bypass symlink validation mechanisms when the destination directory is predictable, potentially leading to unauthorized access or manipulation of files outside the intended directory structure (GitHub Advisory).

The vulnerability has been patched in versions 3.1.1, 2.1.4, and 1.16.6. As a workaround, users can implement the ignore option to ignore non-files/directories using the following pattern: ignore (_, header) { return header.type ! 'file' && header.type ! 'directory' }. The fix involves expanding the path validation check to properly handle directory separators (GitHub Commit, GitHub Advisory).