EUVD-2025-16687

🗓️ 03 Oct 2025 20:07:09Reported by EUVDType

tar-fs can extract files outside the specified directory when using a specific tarball

Reporter	Title	Published	Views	Family All 70
IBM Security Bulletins	Security Bulletin: Carbon design system packages	18 Aug 202519:26	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to tar-fs-1.16.4.tgz CVE-2025-48387	8 Sep 202513:25	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Planning Analytics	27 Jun 202520:52	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in tar-fs affects IBM watsonx Orchestrate with watsonx Assistant Cartridge	10 Sep 202520:14	–	ibm
IBM Security Bulletins	Security Bulletin: Astronomer with IBM is vulnerable to unrestricted filesystem writes due to the tar-fs package (CVE-2025-48387)	20 Nov 202514:24	–	ibm
IBM Security Bulletins	Security Bulletin: Security vulnerabilities were found in IBM Verify Identity Access Digital Credentials (CVE-2025-48387, CVE-2025-5889)	11 Jul 202500:47	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar Investigation Assistant app for IBM QRadar SIEM includes components with known vulnerabilities	28 Jul 202513:19	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security QRadar EDR Software contains multiple vulnerabilities	15 Oct 202512:45	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service and path traversal [CVE-2025-47935] [CVE-2025-47944] [CVE-2025-48997] [CVE-2025-48387]	27 Jun 202515:12	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Event Streams	7 Jul 202509:56	–	ibm

[
  {
    "enisaIdVendor": [
      {
        "id": "fa7c271c-a60b-3854-bf94-bfd033a7d260",
        "vendor": {
          "name": "mafintosh"
        }
      }
    ],
    "enisaIdProduct": [
      {
        "id": "5a8a4432-5543-38dc-a380-e217898a0bb0",
        "product": {
          "name": "tar-fs"
        },
        "product_version": "3.0.0, < 3.0.9"
      },
      {
        "id": "7de6ab18-fcdc-31c7-8bbb-efc858b3cf04",
        "product": {
          "name": "tar-fs"
        },
        "product_version": "2.0.0, < 2.1.3"
      },
      {
        "id": "f9f1bc44-7ad3-3dc6-ae75-a54bed64ad86",
        "product": {
          "name": "tar-fs"
        },
        "product_version": "< 1.16.5"
      }
    ]
  }
]

Source	Link
github	www.github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4v
github	www.github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-48387
github	www.github.com/google/security-research/security/advisories/GHSA-xrg4-qp5w-2c3w

03 Oct 2025 20:07Current

4.8Medium risk

Vulners AI Score4.8

CVSS 48.7

EPSS0.00474

SSVC