Cyber Posture

CVE-2025-69874

CriticalPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69874 is a critical-severity Path Traversal (CWE-22) vulnerability in Unjs Nanotar. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely remediation of the path traversal flaw in nanotar through 0.2.0 directly eliminates the vulnerability in parseTar() and parseTarGzip() functions.

SI-10 Information Input Validation good match
prevent

Validates information inputs such as tar archive paths to block path traversal sequences and prevent arbitrary file writes outside the extraction directory.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on processes using nanotar to limit the scope of arbitrary file writes even if path traversal succeeds.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Path traversal vulnerability in nanotar allows remote unauthenticated arbitrary file writes via crafted tar archives, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.

Deeper analysisAI

CVE-2025-69874 is a path traversal vulnerability (CWE-22) in the nanotar npm package through version 0.2.0. The flaw affects the parseTar() and parseTarGzip() functions, which do not properly sanitize path traversal sequences in crafted tar archives, enabling extraction of files outside the intended directory.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying a malicious tar archive, attackers can achieve arbitrary file writes on the target system, potentially leading to full compromise through overwrite of critical files.

Mitigation details and further analysis are available in the primary advisory at https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69874-nanotar-Path-Traversal.md, along with the project repository at https://github.com/unjs/nanotar and package page at https://www.npmjs.com/package/nanotar.

Details

CWE(s)
CWE-22

Affected Products

unjs
nanotar
≤ 0.2.0

CVEs Like This One

CVE-2025-54387Same vendor: Unjs
CVE-2026-35209Same vendor: Unjs
CVE-2024-36512Shared CWE-22
CVE-2025-14727Shared CWE-22
CVE-2025-36236Shared CWE-22
CVE-2025-7360Shared CWE-22
CVE-2025-7712Shared CWE-22
CVE-2024-39786Shared CWE-22
CVE-2025-64057Shared CWE-22
CVE-2025-14914Shared CWE-22

References