CVE-2025-48387

tar-fs can extract outside the specified dir with a specific tarball

Description

### Impact
v3.0.8, v2.1.2, v1.16.4 and below

‍
### Patches
Has been patched in 3.0.9, 2.1.3, and 1.16.5

### Workarounds
You can use the ignore option to ignore non files/directories.

```js
ignore (_, header) {
// pass files & directories, ignore e.g. symlinks
return header.type !== 'file' && header.type !== 'directory'
}
```

### Credit
Thank you Caleb Brown from Google Open Source Security Team for reporting this in detail.

Patch Available

Fix available through Seal Security. No upgrade required, protect your application instantly.

Fix without upgrading

Vulnerability Details

Score

8.5

Score Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Versions

tar-fs < 1.16.5; tar-fs >= 2.0.0 < 2.1.3; tar-fs >= 3.0.0 < 3.0.9

Severity

High

Ecosystem

JavaScript

Publish Date

June 3, 2025

Modified Date

August 14, 2025