[Pkg-javascript-devel] Bug#1116338: node-tar-fs: CVE-2025-59343
Salvatore Bonaccorso
carnil at debian.org
Thu Sep 25 20:02:50 BST 2025
Source: node-tar-fs
Version: 3.0.9+~cs2.0.4-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-tar-fs.
CVE-2025-59343[0]:
| tar-fs provides filesystem bindings for tar-stream. Versions prior
| to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation
| bypass if the destination directory is predictable with a specific
| tarball. This issue has been patched in version 3.1.1, 2.1.4, and
| 1.16.6. A workaround involves using the ignore option on non
| files/directories.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-59343
https://www.cve.org/CVERecord?id=CVE-2025-59343
[1] https://github.com/mafintosh/tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v
[2] https://github.com/mafintosh/tar-fs/commit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list