Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-45582

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 4.1, requiring local system access to exploit but requires specific conditions to be met though user interaction is required and does not require pre-existing privileges . The vulnerability impacts limited integrity, and limited availability for affected systems. Impacting 1 product from gnu organizations running these solutions should prioritize assessment and patching.

Historical Context

Reported in 2025, this vulnerability emerged during an era marked by increased sophistication in supply chain attacks, cloud infrastructure vulnerabilities, and software-as-a-service (SaaS) security challenges. Security practices during this period emphasized zero-trust architectures, container security, and API protection.

Published

2025-07-11T17:15:37.183

Last Modified

2025-11-02T01:15:32.307

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.1 (MEDIUM)

Weaknesses

Type: Secondary
CWE-24

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	gnu	tar	< 1.35	Yes

References

https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md Exploit, Third Party Advisory ([email protected])
https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html ([email protected])
https://www.gnu.org/software/tar/ Product, Release Notes ([email protected])
https://www.gnu.org/software/tar/manual/html_node/Integrity.html ([email protected])
https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html ([email protected])
http://www.openwall.com/lists/oss-security/2025/11/01/6 (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For gnu's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.