CVE-2025-59343 Overview
CVE-2025-59343 is a path traversal vulnerability affecting tar-fs, a popular Node.js library that provides filesystem bindings for tar-stream. The vulnerability exists in versions prior to 3.1.1, 2.1.3, and 1.16.5, where symlink validation can be bypassed when the destination directory is predictable with a specific tarball structure. This flaw allows attackers to write files outside the intended extraction directory, potentially compromising system integrity.
Critical Impact
Attackers can bypass symlink validation to write arbitrary files outside the intended extraction directory, potentially overwriting critical system files or injecting malicious content into trusted locations.
Affected Products
- tar-fs versions prior to 3.1.1 (3.x branch)
- tar-fs versions prior to 2.1.4 (2.x branch)
- tar-fs versions prior to 1.16.6 (1.x branch)
Discovery Timeline
- 2025-09-24 - CVE-2025-59343 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2025-59343
Vulnerability Analysis
This path traversal vulnerability (CWE-22) stems from an incomplete check in the inCwd function that validates whether extracted files remain within the intended destination directory. The vulnerable code used a simple startsWith check which could be bypassed through carefully crafted directory paths. When processing a malicious tarball, an attacker could exploit this flaw to extract files to arbitrary locations on the filesystem, bypassing the library's intended security boundaries.
The vulnerability is exploitable over the network when applications process user-supplied tar archives. No authentication is required to exploit this vulnerability, making it particularly dangerous in scenarios where tar-fs is used to handle untrusted archive files.
Root Cause
The root cause lies in the inadequate path validation within the inCwd function. The original implementation checked if the destination path started with the current working directory string, but failed to account for edge cases where the path equals the current working directory exactly or where path separator boundaries aren't properly enforced. This allowed attackers to craft tarball entries that would pass the validation while actually targeting locations outside the intended directory.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious tarball containing specially constructed symlinks and file entries. When a vulnerable application extracts this tarball using tar-fs, the symlink validation bypass allows files to be written outside the intended extraction directory. This attack requires:
- The ability to supply a tar archive to a vulnerable application
- Knowledge of the predictable destination directory structure
- A tarball crafted with symlinks that exploit the validation flaw
// Security patch in index.js - expand check
// Source: https://github.com/mafintosh/tar-fs/commit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09
}
function inCwd (dst) {
- return dst.startsWith(cwd)
+ return dst === cwd || dst.startsWith(cwd + path.sep)
}
function onfile () {
The patch addresses the vulnerability by ensuring that the destination path either exactly equals the working directory or properly starts with the working directory followed by a path separator, preventing directory traversal attacks.
Detection Methods for CVE-2025-59343
Indicators of Compromise
- Unexpected file creation or modification outside designated extraction directories
- Log entries showing tar extraction operations with suspicious path patterns containing ../ sequences
- Files appearing in system directories that trace back to tar extraction operations
- Symlinks in extraction directories pointing to sensitive system locations
Detection Strategies
- Monitor tar extraction operations for paths that resolve outside intended destination directories
- Implement file integrity monitoring on critical system directories to detect unauthorized modifications
- Review application logs for tar-fs extraction activities with unusual destination paths
- Scan deployed applications for vulnerable tar-fs versions using software composition analysis (SCA) tools
Monitoring Recommendations
- Enable verbose logging for applications using tar-fs to capture extraction paths
- Implement alerting for file system operations that create files in protected directories during tar extraction
- Monitor npm audit results for tar-fs dependency vulnerabilities across your codebase
How to Mitigate CVE-2025-59343
Immediate Actions Required
- Update tar-fs to version 3.1.1 or later (for 3.x branch users)
- Update tar-fs to version 2.1.4 or later (for 2.x branch users)
- Update tar-fs to version 1.16.6 or later (for 1.x branch users)
- Audit applications that process untrusted tar archives for potential compromise
Patch Information
Security patches have been released across all supported branches of tar-fs. The fix modifies the inCwd function to properly validate that destination paths are contained within the intended working directory by checking for exact equality or ensuring the path starts with the working directory plus a path separator.
Patch details are available in the GitHub Commit Record. Additional information can be found in the GitHub Security Advisory and the Debian LTS Announcement.
Workarounds
- Use the ignore option on non files/directories when extracting tar archives to prevent symlink-based attacks
- Implement additional path validation in your application before using tar-fs extraction
- Run tar extraction operations in isolated environments with restricted filesystem access
- Avoid processing untrusted tar archives until patches can be applied
# Configuration example
# Update tar-fs to patched version using npm
npm update tar-fs@latest
# Or specify exact patched version for your branch
npm install tar-fs@3.1.1 # For 3.x users
npm install tar-fs@2.1.4 # For 2.x users
npm install tar-fs@1.16.6 # For 1.x users
# Verify installed version
npm list tar-fs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
