CVE-2025-59343 (High) detected in tar-fs-2.1.3.tgz, tar-fs-3.1.0.tgz #10578
Description
CVE-2025-59343 - High Severity Vulnerability
Vulnerable Libraries - tar-fs-2.1.3.tgz, tar-fs-3.1.0.tgz
tar-fs-2.1.3.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
- @osd/opensearch-1.0.0.tgz (Root Library)
- ❌ tar-fs-2.1.3.tgz (Vulnerable Library)
tar-fs-3.1.0.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-3.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json,/package.json
Dependency Hierarchy:
- puppeteer-24.14.0.tgz (Root Library)
- browsers-2.10.6.tgz
- ❌ tar-fs-3.1.0.tgz (Vulnerable Library)
- browsers-2.10.6.tgz
Found in HEAD commit: 4fd064970b66ce555f48c22dfab6ed965d0e260a
Found in base branch: main
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
Publish Date: 2025-09-24
URL: CVE-2025-59343
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-vj76-c3g6-qr5v
Release Date: 2025-09-24
Fix Resolution (tar-fs): 2.1.4
Direct dependency fix Resolution (puppeteer): 24.15.0
- Check this box to open an automated fix PR