CVE-2025-69874 Overview
CVE-2025-69874 is a path traversal vulnerability affecting nanotar through version 0.2.0. The vulnerability exists in the parseTar() and parseTarGzip() functions, which fail to properly validate file paths within tar archives. This allows remote attackers to write arbitrary files outside the intended extraction directory by crafting malicious tar archives containing path traversal sequences such as ../.
Critical Impact
Attackers can exploit this vulnerability to achieve arbitrary file write, potentially overwriting critical system files, configuration files, or injecting malicious code into application directories. This can lead to remote code execution, data corruption, or complete system compromise.
Affected Products
- nanotar versions 0.2.0 and earlier
- Applications using nanotar parseTar() function
- Applications using nanotar parseTarGzip() function
Discovery Timeline
- 2026-02-11 - CVE CVE-2025-69874 published to NVD
- 2026-02-12 - Last updated in NVD database
Technical Details for CVE-2025-69874
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The nanotar library, a lightweight JavaScript/TypeScript tar archive parsing library available via npm, fails to sanitize file paths extracted from tar archive headers before writing files to disk.
When processing a tar archive, the library reads the filename field from each tar entry header and uses it directly to construct the output file path. An attacker can craft a malicious tar archive where entry filenames contain directory traversal sequences (e.g., ../../etc/cron.d/malicious or ../../../.bashrc). When the vulnerable parseTar() or parseTarGzip() functions process such an archive, they write files to locations outside the intended extraction directory.
The network-based attack vector enables exploitation through any application that accepts tar archives from remote sources, such as file upload features, package managers, or CI/CD pipelines that process user-supplied archives.
Root Cause
The root cause is insufficient input validation in the tar parsing functions. The parseTar() and parseTarGzip() functions do not validate or sanitize the filename field extracted from tar entry headers before using it to determine the output file path. Specifically, the code lacks checks to:
- Detect and reject path traversal sequences (../ or ..\)
- Resolve the canonical path and verify it remains within the intended extraction directory
- Block absolute paths that could write to arbitrary filesystem locations
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker crafts a malicious tar archive containing entries with path traversal sequences in their filenames. When a vulnerable application processes this archive using nanotar's parseTar() or parseTarGzip() functions, files are written outside the intended extraction directory.
The attack can be delivered through any mechanism that causes the target application to process an attacker-controlled tar archive. This includes file upload functionality, REST API endpoints accepting tar archives, package installation mechanisms, or automated systems that fetch and extract remote archives.
Detection Methods for CVE-2025-69874
Indicators of Compromise
- Unexpected files appearing outside of designated extraction directories
- Files created in sensitive system locations (e.g., /etc/, /usr/bin/, ~/.ssh/) during tar extraction operations
- Log entries showing file writes to paths containing ../ sequences
- Modified configuration files or scripts without authorized changes
Detection Strategies
- Monitor file system operations during tar extraction for writes outside designated directories
- Implement application-level logging that captures full file paths during archive extraction
- Use file integrity monitoring (FIM) tools to detect unauthorized file modifications in sensitive directories
- Deploy SentinelOne Singularity to detect and alert on suspicious file write patterns indicative of path traversal exploitation
Monitoring Recommendations
- Enable verbose logging in applications that process tar archives to capture extraction paths
- Configure alerts for any file creation events outside expected extraction directories
- Monitor npm dependency lists for nanotar versions 0.2.0 and earlier
- Implement network monitoring to detect unusual tar archive uploads or downloads
How to Mitigate CVE-2025-69874
Immediate Actions Required
- Audit all applications for usage of nanotar library versions 0.2.0 and earlier
- Implement input validation to reject tar entries containing path traversal sequences before extraction
- Use allowlisting to restrict file extraction to specific directories only
- Consider replacing nanotar with a library that includes path traversal protections until a patched version is available
Patch Information
At the time of publication, organizations should monitor the nanotar GitHub repository and npm package page for security updates. Review the CVE-2025-69874 disclosure for the latest remediation guidance. Until an official patch is released, implement the workarounds described below.
Workarounds
- Implement a wrapper function that validates and sanitizes filenames before passing archives to nanotar
- Resolve the canonical path of each extracted file and verify it remains within the intended extraction directory
- Reject any tar entries where the filename contains ../, ..\, or begins with /
- Run tar extraction processes in a sandboxed environment with restricted filesystem access
- Use operating system-level controls (chroot, containers) to limit the impact of path traversal
# Configuration example
# Example validation logic to implement before calling parseTar/parseTarGzip
# Ensure extracted paths remain within the target directory
# In your application code, validate each entry path:
# 1. Reject paths containing "../" or "..\"
# 2. Reject absolute paths starting with "/"
# 3. Resolve the full path and verify it starts with your extraction directory
# Example directory restriction using chroot for tar extraction
mkdir -p /var/lib/safe-extract
chroot /var/lib/safe-extract /usr/bin/node extract-script.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
