CVE-2025-59343

Description

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.

How to fix CVE-2025-59343

To remediate CVE-2025-59343, upgrade the affected package to a fixed version below.

• Debian/node-tar-fs—upgrade to 2.1.3-0+deb11u2 or later
• Debian/node-tar-fs—upgrade to 2.1.3-0+deb11u2 or later
• —upgrade to 2.1.3-0+deb12u2 or later
• —upgrade to 3.1.1 or later

Is CVE-2025-59343 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 2.1.3-0+deb11u2
• from 0, < 2.1.3-0+deb11u2
• from 0, < 2.1.3-0+deb12u2
• >= 3.0.0, < 3.1.1

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-59343
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-59343
• PATCHgithub.com/mafintosh/tar-fs
• WEBgithub.com/mafintosh/tar-fs/commit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09