CVE-2025-25724

MediumPublic PoC

Published: 02 March 2025

Published

02 March 2025

Modified

17 July 2025

KEV Added

—

Patch

—

CVSS Score 4.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

EPSS Score 0.0003 8.4th percentile

Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25724 is a medium-severity Unchecked Return Value (CWE-252) vulnerability in Libarchive Libarchive. Its CVSS base score is 4.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of software flaws like the unchecked strftime return value in libarchive's list_item_verbose, preventing DoS from crafted TAR archives.

SI-11 Error Handling partial match

prevent

Mandates secure error and exception handling to address failures in checking strftime return values, reducing impacts from buffer insufficiency in verbose TAR processing.

SI-10 Information Input Validation partial match

prevent

Enforces validation of TAR archive inputs to detect and block crafted files that trigger the vulnerable strftime operation under custom locales.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Vulnerability in libarchive TAR processing enables local DoS via crafted archive exploiting application flaw, directly mapping to T1499.004 Application or System Exploitation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

NVD Description

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2.…

For example, the 100-byte buffer may not be sufficient for a custom locale.

Deeper analysisAI

CVE-2025-25724 is a vulnerability in the list_item_verbose function within tar/util.c of libarchive through version 3.7.7. The issue stems from a failure to check the return value of strftime, which can result in a denial of service or unspecified other impact when processing a crafted TAR archive using verbose output level 2. For example, a custom locale may exceed the 100-byte buffer allocated for the operation.

Exploitation requires local access (AV:L) with high attack complexity (AC:H), no privileges (PR:N), and no user interaction (UI:N), as indicated by the CVSS v3.1 base score of 4.0 (C:N/I:L/A:L/S:U). A local attacker can thus trigger low-impact integrity and availability effects, such as denial of service, through a malicious TAR file.

Proof-of-concept code demonstrating the issue is available at https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92 and https://github.com/Ekkosun/pocs/blob/main/bsdtarbug. The vulnerable source code lines are visible in the libarchive repository at https://github.com/libarchive/libarchive/blob/b439d586f53911c84be5e380445a8a259e19114c/tar/util.c#L751-L752.