Cyber Resilience

CVE-2025-69874

CriticalPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0084 53.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-69874 is a critical-severity Path Traversal (CWE-22) vulnerability in Unjs Nanotar. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-69874 is a path traversal vulnerability (CWE-22) in the nanotar npm package through version 0.2.0. The flaw affects the parseTar() and parseTarGzip() functions, which do not properly sanitize path traversal sequences in crafted tar archives, enabling extraction of files outside the intended directory.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying a malicious tar archive, attackers can achieve arbitrary file writes on the target system, potentially leading to full compromise through overwrite of critical files.

Mitigation details and further analysis are available in the primary advisory at https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69874-nanotar-Path-Traversal.md, along with the project repository at https://github.com/unjs/nanotar and package page at https://www.npmjs.com/package/nanotar.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal vulnerability in nanotar allows remote unauthenticated arbitrary file writes via crafted tar archives, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-54387Same vendor: Unjs
CVE-2026-35209Same vendor: Unjs
CVE-2025-2505Shared CWE-22
CVE-2026-5841Shared CWE-22
CVE-2026-33242Shared CWE-22
CVE-2026-33292Shared CWE-22
CVE-2026-35605Shared CWE-22
CVE-2025-53632Shared CWE-22
CVE-2025-8110Shared CWE-22
CVE-2026-8757Shared CWE-22

Affected Assets

unjs
nanotar
≤ 0.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely remediation of the path traversal flaw in nanotar through 0.2.0 directly eliminates the vulnerability in parseTar() and parseTarGzip() functions.

prevent

Validates information inputs such as tar archive paths to block path traversal sequences and prevent arbitrary file writes outside the extraction directory.

prevent

Enforces least privilege on processes using nanotar to limit the scope of arbitrary file writes even if path traversal succeeds.

References