High severityOSV Advisory· Published Sep 24, 2025· Updated Apr 15, 2026

CVE-2025-59343

Description

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
tar-fsnpm	>= 3.0.0, < 3.1.1	3.1.1
tar-fsnpm	>= 2.0.0, < 2.1.4	2.1.4
tar-fsnpm	< 1.16.6	1.16.6

Affected products

Mafintosh/Tar FsOSV
Range: v0.1.0, v0.1.1, v0.1.2, …

Patches

0aa57de79eb5

3.1.1

https://github.com/mafintosh/tar-fsMathias BuusSep 16, 2025via osv

commit

1 file changed · +1 −1

package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
   "name": "tar-fs",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "description": "filesystem bindings for tar-stream",
   "dependencies": {
     "pump": "^3.0.0",

3c6eddb6008d

1.16.5

https://github.com/mafintosh/tar-fsMathias BuusMay 22, 2025via osv

commit

2 files changed · +4022 −1

package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
   "name": "tar-fs",
-  "version": "1.16.4",
+  "version": "1.16.5",
   "description": "filesystem bindings for tar-stream",
   "dependencies": {
     "chownr": "^1.0.1",

package-lock.json+4021 −0 added

4b7e8688a542

2.1.3

https://github.com/mafintosh/tar-fsMathias BuusMay 22, 2025via osv

commit

1 file changed · +1 −1

package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
   "name": "tar-fs",
-  "version": "2.1.2",
+  "version": "2.1.3",
   "description": "filesystem bindings for tar-stream",
   "dependencies": {
     "chownr": "^1.1.1",

0bd54cdf06da

expand check

https://github.com/mafintosh/tar-fsMathias BuusSep 16, 2025via ghsa

commit

1 file changed · +1 −1

index.js+1 −1 modified

@@ -247,7 +247,7 @@ exports.extract = function extract (cwd, opts) {
     }
 
     function inCwd (dst) {
-      return dst.startsWith(cwd)
+      return dst === cwd || dst.startsWith(cwd + path.sep)
     }
 
     function onfile () {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000