In the latest development, a vulnerability in the NPM package tar-fs has been identified. This vulnerability, with the identifier GHSA-XRG4-QP5W-2C3W and CVE number CVE-2025-48387, allows for manipulation of files within the Federal Antimonopoly Service without the limitations imposed by the directories in which the FS is unpacked, subject to the permissions of the current user. This vulnerability could potentially lead to the overwriting of existing files, such as “.SSH/ID_RSA” or “.BashRC” in the user’s home directory.
The severity of this issue is classified as critical, considering that the TAR-FS package sees a substantial 23 million downloads per week and is a dependency in 1155 projects. The vulnerability has been addressed in versions 3.0.9, 2.1.3, and 1.16.5, released in May. However, the disclosure of information regarding this vulnerability came almost three months after the fixes were implemented.
The vulnerability was caused by insufficient checks on symbolic and hard references, allowing them to exceed the target directory limits during unpacking. By utilizing two symbolic links, the exploit could bypass security measures. The first link points to the root directory of the archive (“.”) while the second link is created in relation to the first, using “../” in the name to navigate beyond the base directory. This method enables the manipulation of files within the archive, with a strict link referencing an external file relative to the second symbolic link.
Additionally, a similar vulnerability with CVE number CVE-2025-55188 has been reported.