Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-25724

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.

Published

2025-03-02T02:15:36.603

Last Modified

2025-07-17T15:56:36.083

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 4.0 (MEDIUM)

Weaknesses

Type: Secondary
CWE-252

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	libarchive	libarchive	≤ 3.7.7	Yes

References

https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92 Third Party Advisory ([email protected])
https://github.com/Ekkosun/pocs/blob/main/bsdtarbug Exploit ([email protected])
https://github.com/libarchive/libarchive/blob/b439d586f53911c84be5e380445a8a259e19114c/tar/util.c#L751-L752 Product ([email protected])