Source: node-tar-fs Version: 3.0.9+~cs2.0.4-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for node-tar-fs. CVE-2025-59343[0]: | tar-fs provides filesystem bindings for tar-stream. Versions prior | to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation | bypass if the destination directory is predictable with a specific | tarball. This issue has been patched in version 3.1.1, 2.1.4, and | 1.16.6. A workaround involves using the ignore option on non | files/directories. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-59343 https://www.cve.org/CVERecord?id=CVE-2025-59343 [1] https://github.com/mafintosh/tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v [2] https://github.com/mafintosh/tar-fs/commit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
