CVE-2025-48387
Published: 02 June 2025
Summary
CVE-2025-48387 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
tar-fs is a Node.js library that provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 contain a path traversal flaw (CWE-22) that allows an extract operation to write files outside the intended target directory when processing a specially crafted tarball. The vulnerability received a CVSS 4.0 score of 8.7.
An unauthenticated remote attacker can supply a malicious tar archive to any application using the affected tar-fs extract functionality. Successful exploitation results in arbitrary file writes on the host filesystem, potentially enabling subsequent code execution or configuration tampering depending on the privileges of the extracting process.
Upstream fixes are available in the referenced commits and releases. The project advisories recommend upgrading to the patched versions; a workaround is to supply the ignore option to skip non-file and non-directory entries during extraction. Debian has also published corresponding updates via its LTS channels.
EPSS remains low and flat at 0.0120 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-16687
Vulnerability details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As…
more
a workaround, use the ignore option to ignore non files/directories.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.