CVE-2025-48387 Overview
CVE-2025-48387 is a Path Traversal vulnerability in tar-fs, a popular Node.js library that provides filesystem bindings for tar-stream. The vulnerability allows an attacker to craft a malicious tarball that, when extracted, writes files outside of the intended extraction directory. This can lead to arbitrary file overwrites on the target system, potentially enabling further compromise through overwriting configuration files, scripts, or other sensitive data.
Critical Impact
Attackers can achieve arbitrary file writes outside the intended extraction directory by crafting specially designed tarballs, potentially leading to system compromise through file overwrites.
Affected Products
- tar-fs versions prior to 3.0.9
- tar-fs versions prior to 2.1.3
- tar-fs versions prior to 1.16.5
Discovery Timeline
- June 2, 2025 - CVE-2025-48387 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-48387
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal or Directory Traversal. The tar-fs library fails to properly sanitize file paths contained within tarball archives during the extraction process.
When processing tar entries, the library does not adequately validate or restrict the destination paths of files being extracted. An attacker can include entries in a tarball with relative path components (such as ../) or absolute paths that escape the intended extraction directory. This allows malicious archive contents to be written to arbitrary locations on the filesystem where the extracting process has write permissions.
The attack can be executed remotely if the vulnerable application processes tar archives from untrusted sources over a network, making this a network-exploitable vulnerability with no authentication or user interaction required.
Root Cause
The root cause lies in insufficient path validation within the tar-fs extraction logic. The library does not properly canonicalize or validate destination paths before writing extracted files to disk. Specifically, the library fails to detect and reject tar entries containing path traversal sequences that would result in writes outside the specified extraction directory.
The security fix commit addresses this by implementing proper path validation to ensure all extracted files remain within the intended destination directory.
Attack Vector
The attack is network-exploitable and requires no privileges or user interaction. An attacker creates a specially crafted tarball containing entries with path traversal sequences (e.g., ../../../etc/cron.d/malicious) or symbolic links pointing to sensitive locations. When an application using a vulnerable version of tar-fs extracts this malicious archive, files are written outside the intended extraction directory.
The vulnerability can be exploited in any scenario where an application uses tar-fs to extract archives from untrusted sources, including:
- Web applications accepting tar file uploads
- Package managers or build systems processing third-party archives
- Backup/restore utilities handling user-supplied archives
- Container or deployment tools extracting tarballs
For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2025-48387
Indicators of Compromise
- Unexpected file modifications in directories outside normal application paths
- Files appearing in system directories (e.g., /etc, /usr/bin, C:\Windows\System32) with timestamps corresponding to tar extraction operations
- Log entries showing tar-fs extraction activities followed by anomalous file access patterns
- Modified cron jobs, startup scripts, or configuration files that coincide with archive processing events
Detection Strategies
- Monitor for file writes outside designated extraction directories during tar-fs operations using file integrity monitoring tools
- Implement runtime application security that detects path traversal attempts in archive processing
- Audit application logs for tar extraction operations and correlate with filesystem changes
- Use dependency scanning tools to identify vulnerable versions of tar-fs (< 3.0.9, < 2.1.3, < 1.16.5) in your codebase
Monitoring Recommendations
- Deploy SentinelOne Singularity to detect and prevent malicious file writes resulting from path traversal exploitation
- Enable file integrity monitoring on critical system directories to detect unauthorized modifications
- Implement network traffic analysis to identify suspicious tarball downloads or uploads
- Configure alerting for new files created in sensitive system locations during application runtime
How to Mitigate CVE-2025-48387
Immediate Actions Required
- Update tar-fs to version 3.0.9, 2.1.3, or 1.16.5 depending on your major version branch
- Audit applications for usage of tar-fs with untrusted archive sources
- Implement the ignore option workaround if immediate patching is not possible
- Review filesystem permissions to limit the impact of potential arbitrary file writes
Patch Information
The vulnerability has been patched in tar-fs versions 3.0.9, 2.1.3, and 1.16.5. Organizations should update to these versions immediately based on their current major version:
- For tar-fs 3.x: Upgrade to 3.0.9 or later
- For tar-fs 2.x: Upgrade to 2.1.3 or later
- For tar-fs 1.x: Upgrade to 1.16.5 or later
Debian users should refer to the Debian LTS Announcement for distribution-specific guidance.
Workarounds
- Use the ignore option in tar-fs to filter out non-file and non-directory entries that could be used for exploitation
- Implement application-level path validation before extraction to reject archives containing traversal sequences
- Run archive extraction processes in sandboxed environments with restricted filesystem access
- Validate archive contents before extraction using a separate scanning utility
# Example: Using ignore option as workaround
# In your Node.js application, configure tar-fs extraction with ignore filter:
# tar.extract('/safe/destination', {
# ignore: (name, header) => {
# // Reject entries that are not files or directories
# return header.type !== 'file' && header.type !== 'directory'
# }
# })
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
