VulnerableCode Package Details - pkg:npm/tar-fs@3.0.7

Search for packages

Vulnerability	Summary	Fixed by
VCID-9yvn-36su-rba9 Aliases: CVE-2025-48387 GHSA-8cj5-5rvv-wf4v	tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.	3.0.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-q8uf-4z9d-jqe9 Aliases: CVE-2025-59343 GHSA-vj76-c3g6-qr5v		3.1.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-9yvn-36su-rba9
Aliases:
CVE-2025-48387
GHSA-8cj5-5rvv-wf4v

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

3.0.9
Affected by 1 other vulnerability.

VCID-q8uf-4z9d-jqe9
Aliases:
CVE-2025-59343
GHSA-vj76-c3g6-qr5v

3.1.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-sr61-u29y-k3az	An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.	CVE-2024-12905 GHSA-pq67-2wwv-3xjx

Vulnerability

Summary

Aliases

VCID-sr61-u29y-k3az

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

CVE-2024-12905
GHSA-pq67-2wwv-3xjx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-15T01:55:08.257089+00:00	GHSA Importer	Fixing	VCID-sr61-u29y-k3az	https://github.com/advisories/GHSA-pq67-2wwv-3xjx	38.6.0
2026-06-12T20:21:46.601486+00:00	GitLab Importer	Affected by	VCID-q8uf-4z9d-jqe9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar-fs/CVE-2025-59343.yml	38.6.0
2026-06-12T20:03:15.636689+00:00	GitLab Importer	Affected by	VCID-9yvn-36su-rba9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar-fs/CVE-2025-48387.yml	38.6.0
2026-06-12T19:57:24.230961+00:00	GitLab Importer	Fixing	VCID-sr61-u29y-k3az	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/tar-fs/CVE-2024-12905.yml	38.6.0
2026-06-12T07:54:22.542500+00:00	GithubOSV Importer	Fixing	VCID-sr61-u29y-k3az	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-pq67-2wwv-3xjx/GHSA-pq67-2wwv-3xjx.json	38.6.0