High severityOSV Advisory· Published Jun 2, 2025· Updated Apr 15, 2026
CVE-2025-48387
CVE-2025-48387
Description
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tar-fsnpm | < 1.16.5 | 1.16.5 |
tar-fsnpm | >= 2.0.0, < 2.1.3 | 2.1.3 |
tar-fsnpm | >= 3.0.0, < 3.0.9 | 3.0.9 |
Affected products
1Patches
43c6eddb6008d4b7e8688a5422ceedf4cf807647447b572bccheck windows tweak (#115)
1 file changed · +27 −22
index.js+27 −22 modified@@ -164,23 +164,23 @@ exports.extract = function extract (cwd, opts) { return next() } - if (header.type === 'directory') { - stack.push([name, header.mtime]) - return mkdirfix(name, { - fs: xfs, - own, - uid: header.uid, - gid: header.gid, - mode: header.mode - }, stat) - } - - const dir = path.dirname(name) + const dir = path.join(name, '.') === path.join(cwd, '.') ? cwd : path.dirname(name) validate(xfs, dir, path.join(cwd, '.'), function (err, valid) { if (err) return next(err) if (!valid) return next(new Error(dir + ' is not a valid path')) + if (header.type === 'directory') { + stack.push([name, header.mtime]) + return mkdirfix(name, { + fs: xfs, + own, + uid: header.uid, + gid: header.gid, + mode: header.mode + }, stat) + } + mkdirfix(dir, { fs: xfs, own, @@ -228,15 +228,19 @@ exports.extract = function extract (cwd, opts) { function onlink () { if (win32) return next() // skip links on win for now before it can be tested xfs.unlink(name, function () { - const dst = path.join(cwd, path.join('/', header.linkname)) + const link = path.join(cwd, path.join('/', header.linkname)) - xfs.link(dst, name, function (err) { - if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) { - stream = xfs.createReadStream(dst) - return onfile() - } + fs.realpath(link, function (err, dst) { + if (err || !inCwd(dst)) return next(new Error(name + ' is not a valid hardlink')) - stat(err) + xfs.link(dst, name, function (err) { + if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) { + stream = xfs.createReadStream(dst) + return onfile() + } + + stat(err) + }) }) }) } @@ -317,10 +321,11 @@ exports.extract = function extract (cwd, opts) { function validate (fs, name, root, cb) { if (name === root) return cb(null, true) + fs.lstat(name, function (err, st) { - if (err && err.code === 'ENOENT') return validate(fs, path.join(name, '..'), root, cb) - else if (err) return cb(err) - cb(null, st.isDirectory()) + if (err && err.code !== 'ENOENT' && err.code !== 'EPERM') return cb(err) + if (err || st.isDirectory()) return validate(fs, path.join(name, '..'), root, cb) + cb(null, false) }) }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8cj5-5rvv-wf4vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48387ghsaADVISORY
- github.com/google/security-research/security/advisories/GHSA-xrg4-qp5w-2c3wnvdWEB
- github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0fnvdWEB
- github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4vnvdWEB
- lists.debian.org/debian-lts-announce/2025/06/msg00012.htmlnvdWEB
News mentions
0No linked articles in our index yet.