Update dependency tar-fs to v2.1.4 [SECURITY]#66
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
bbb5a0a to
a9e8016
Compare
a9e8016 to
932ef7b
Compare
932ef7b to
0ee67a1
Compare
0ee67a1 to
72265be
Compare
72265be to
f43bca1
Compare
f43bca1 to
77f7298
Compare
77f7298 to
7832c40
Compare
7832c40 to
28c445e
Compare
28c445e to
1f81de9
Compare
1f81de9 to
367e2a9
Compare
367e2a9 to
3d34d7c
Compare
3d34d7c to
c15443d
Compare
c15443d to
7457158
Compare
7457158 to
25c5687
Compare
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
25c5687 to
7457158
Compare
7457158 to
0401561
Compare
0401561 to
3b7f70b
Compare
3b7f70b to
7457158
Compare
7457158 to
65d2bfa
Compare
65d2bfa to
498b991
Compare
498b991 to
7457158
Compare
7457158 to
232baf7
Compare
232baf7 to
66b876f
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.1.1→2.1.4tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
CVE-2024-12905 / GHSA-pq67-2wwv-3xjx
More information
Details
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.
PoC
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
tar-fs can extract outside the specified dir with a specific tarball
CVE-2025-48387 / GHSA-8cj5-5rvv-wf4v
More information
Details
Impact
v3.0.8, v2.1.2, v1.16.4 and below
Patches
Has been patched in 3.0.9, 2.1.3, and 1.16.5
Workarounds
You can use the ignore option to ignore non files/directories.
Credit
Thank you Caleb Brown from Google Open Source Security Team for reporting this in detail.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
CVE-2025-59343 / GHSA-vj76-c3g6-qr5v
More information
Details
Impact
v3.1.0, v2.1.3, v1.16.5 and below
Patches
Has been patched in 3.1.1, 2.1.4, and 1.16.6
Workarounds
You can use the ignore option to ignore non files/directories.
Credit
Reported by: Mapta / BugBunny_ai
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
mafintosh/tar-fs (tar-fs)
v2.1.4Compare Source
v2.1.3Compare Source
v2.1.2Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.