The vulnerability in tar-fs (CVE-2025-XXXXX) allows attackers to exploit path traversal and symbolic link following when processing malicious tar archives. When extracting files, the package fails to properly sanitize paths, enabling an attacker to craft a tar file with `../` sequences or symlinks pointing outside the target directory. This can lead to arbitrary file overwrites, data corruption, or remote code execution if critical system files are modified.
The exploit works by embedding specially crafted filenames or symlinks in the tar archive. During extraction, tar-fs resolves these paths without proper validation, allowing files to be written outside the intended directory. For example, a malicious entry like `../../etc/passwd` could overwrite system files if extracted with root privileges.
DailyCVE Form
Platform: Node.js
Version: <1.16.4, 2.0.0-2.1.1, 3.0.0-3.0.6
Vulnerability: Path Traversal
Severity: High
Date: 2025-03-27
What Undercode Say:
Exploitation:
1. Craft malicious tar file:
mkdir exploit ln -s /etc/passwd exploit/malicious_link tar -cvf payload.tar exploit/
2. Trigger extraction in vulnerable app:
const tars = require('tar-fs');
tars.extract('payload.tar', { fs: require('fs') });
Detection:
- Check installed version:
npm list tar-fs
- Audit for symlink abuse:
find /target_dir -type l -exec ls -la {} \;
Mitigation:
1. Update tar-fs:
npm install [email protected]
2. Sanitize paths manually:
const path = require('path');
const safePath = path.resolve(targetDir, entry.path);
if (!safePath.startsWith(path.resolve(targetDir))) {
throw new Error("Path traversal attempt");
}
3. Use chroot/jail extraction:
mkdir -p /safe_dir && chroot /safe_dir /bin/bash
Additional Checks:
- Monitor file writes:
auditctl -w /etc/ -k critical_files
- Restrict filesystem permissions:
chmod -R 700 /target_dir
References:
References:
Reported By: https://github.com/advisories/GHSA-pq67-2wwv-3xjx
Extra Source Hub:
Undercode
