CVE-2025-48387: tar-fs can extract outside the specified dir with a specific tarball
(updated )
v3.0.8, v2.1.2, v1.16.4 and below
References
- github.com/advisories/GHSA-8cj5-5rvv-wf4v
- github.com/google/security-research/security/advisories/GHSA-xrg4-qp5w-2c3w
- github.com/mafintosh/tar-fs
- github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f
- github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4v
- nvd.nist.gov/vuln/detail/CVE-2025-48387
Code Behaviors & Features
Detect and mitigate CVE-2025-48387 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →