Cyber Resilience

CVE-2025-48387

High

Published: 02 June 2025

Published
02 June 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0120 79.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48387 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.7 (High).

Operationally, ranked in the top 20.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

tar-fs is a Node.js library that provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 contain a path traversal flaw (CWE-22) that allows an extract operation to write files outside the intended target directory when processing a specially crafted tarball. The vulnerability received a CVSS 4.0 score of 8.7.

An unauthenticated remote attacker can supply a malicious tar archive to any application using the affected tar-fs extract functionality. Successful exploitation results in arbitrary file writes on the host filesystem, potentially enabling subsequent code execution or configuration tampering depending on the privileges of the extracting process.

Upstream fixes are available in the referenced commits and releases. The project advisories recommend upgrading to the patched versions; a workaround is to supply the ignore option to skip non-file and non-directory entries during extraction. Debian has also published corresponding updates via its LTS channels.

EPSS remains low and flat at 0.0120 with no observed increase after disclosure.

EU & UK References

Vulnerability details

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As…

more

a workaround, use the ignore option to ignore non files/directories.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References