Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-8cj5-5rvv-wf4v

GitHub Security Advisory

tar-fs can extract outside the specified dir with a specific tarball

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
v3.0.8, v2.1.2, v1.16.4 and below

### Patches
Has been patched in 3.0.9, 2.1.3, and 1.16.5

### Workarounds
You can use the ignore option to ignore non files/directories.

```js
ignore (_, header) {
// pass files & directories, ignore e.g. symlinks
return header.type !== 'file' && header.type !== 'directory'
}
```

### Credit
Thank you Caleb Brown from Google Open Source Security Team for reporting this in detail.

Affected Packages

npm tar-fs
Affected versions: 0 (fixed in 1.16.5)
npm tar-fs
Affected versions: 2.0.0 (fixed in 2.1.3)
npm tar-fs
Affected versions: 3.0.0 (fixed in 3.0.9)

Related CVEs

CVE-2025-48387

Key Information

GHSA ID
GHSA-8cj5-5rvv-wf4v
Published
June 3, 2025 6:14 AM
Last Modified
August 14, 2025 7:26 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
tar-fs
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 11, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.