2397901 – (CVE-2025-59343) CVE-2025-59343 tar-fs: tar-fs symlink validation bypass

Bug 2397901 (CVE-2025-59343) - CVE-2025-59343 tar-fs: tar-fs symlink validation bypass

Summary: CVE-2025-59343 tar-fs: tar-fs symlink validation bypass

Keywords:
Status:	NEW
Alias:	CVE-2025-59343
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2397967 2397968 2397969 2397970 2397972 2397971 2397973
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-24 18:01 UTC by OSIDB Bzimport
Modified:	2025-10-28 19:10 UTC (History)
CC List:	80 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2025:17376	None	None	None	2025-10-06 13:05:34 UTC
Red Hat Product Errata	RHSA-2025:18979	None	None	None	2025-10-22 13:10:02 UTC
Red Hat Product Errata	RHSA-2025:19201	None	None	None	2025-10-28 19:10:04 UTC

Description OSIDB Bzimport 2025-09-24 18:01:50 UTC

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.

Comment 3 errata-xmlrpc 2025-10-06 13:05:28 UTC

This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:17376 https://access.redhat.com/errata/RHSA-2025:17376

Comment 4 errata-xmlrpc 2025-10-22 13:09:56 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 9
  Red Hat Ansible Automation Platform 2.5 for RHEL 8

Via RHSA-2025:18979 https://access.redhat.com/errata/RHSA-2025:18979

Comment 5 errata-xmlrpc 2025-10-28 19:09:58 UTC

This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.6 for RHEL 9

Via RHSA-2025:19201 https://access.redhat.com/errata/RHSA-2025:19201

Note You need to log in before you can comment on or make changes to this bug.

aazores
abarbaro
adudiak
alcohan
asoldano
bbaranow
bmaxwell
brian.stansberry
caswilli
cmah
darran.lofthouse
dfreiber
dhanak
dkreling
dosoudil
drosa
drow
dsimansk
eaguilar
ebaron
fjuma
gmalinko
gparvin
haoli
hkataria
istudens
ivassile
iweiss
jajackso
janstey
jbalunas
jburrell
jcammara
jcantril
jchui
jhe
jmitchel
jneedle
jolong
kaycoth
kegrant
kingland
koliveir
kshier
ktsao
kverlaen
mabashia
manissin
matzew
mnovotny
mosmerov
msochure
msvehla
nboldt
nwallace
owatkins
pahickey
pbraun
pdelbell
pesilva
pjindal
pmackay
psrna
rhaigner
rojacob
rstancel
rstepani
sausingh
sdawley
shvarugh
simaishi
smaestri
smcdonal
stcannon
teagle
tfister
thavo
tom.jenkinson
vkumar
yguenane