CVE-2025-60753 – A vulnerability in libarchive's bsdtar allows a... (How to Fix)

📋 TL;DR

A vulnerability in libarchive's bsdtar allows attackers to cause denial of service through unbounded memory allocation when processing malicious substitution rules. This affects systems using vulnerable versions of libarchive/bsdtar for archive operations. The impact is limited to DoS rather than code execution.

💻 Affected Systems

Products:

libarchive
bsdtar

Versions: All versions before 3.8.1

Operating Systems: Linux, BSD, macOS, Windows (if using libarchive)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when processing archives with crafted -s substitution rules

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash due to out-of-memory conditions, potentially affecting other services on the same host

🟠

Likely Case

bsdtar process crashes when processing malicious archives, disrupting archive operations

🟢

If Mitigated

Limited to bsdtar process termination without affecting other system components

🌐 Internet-Facing: MEDIUM - Could be exploited if systems process untrusted archives from external sources

🏢 Internal Only: LOW - Requires processing of malicious archives, typically lower risk in controlled environments

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to provide malicious archive files to bsdtar

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.8.1

Vendor Advisory: https://github.com/libarchive/libarchive/issues/2725

Restart Required: No

Instructions:

1. Update libarchive to version 3.8.1 or later
2. For package managers: Use system update commands (apt-get upgrade libarchive, yum update libarchive, brew upgrade libarchive)
3. For source builds: Download and compile from https://github.com/libarchive/libarchive/releases

🔧 Temporary Workarounds

Disable substitution processing

all

Avoid using -s substitution flags when processing untrusted archives

# Do not use: bsdtar -x -s 'PATTERN/REPLACEMENT' archive.tar
# Use instead: bsdtar -x archive.tar

Resource limits

linux

Set memory limits on bsdtar processes to contain impact

ulimit -v 1048576  # Limit to 1GB virtual memory
systemd-run --scope -p MemoryLimit=1G bsdtar ...

🧯 If You Can't Patch

Avoid processing untrusted archives with bsdtar
Use alternative archive tools for processing archives from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check libarchive version: bsdtar --version | grep 'libarchive'

Check Version:

bsdtar --version | grep 'libarchive'

Verify Fix Applied:

Verify version is 3.8.1 or later: bsdtar --version | grep -E 'libarchive 3\.(8\.[1-9]|[9-9]\.[0-9])'

📡 Detection & Monitoring

Log Indicators:

bsdtar process crashes with out-of-memory errors
High memory usage by bsdtar processes
Kernel OOM killer terminating bsdtar

Network Indicators:

Large archive downloads followed by process crashes

SIEM Query:

process.name="bsdtar" AND (event.action="process_crash" OR memory.usage>90%)

📊 Metadata

CVE ID: CVE-2025-60753

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: November 5, 2025

Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

https://github.com/Papya-j/CVE/tree/main/CVE-2025-60753 Exploit,Third Party Advisory
https://github.com/libarchive/libarchive/issues/2725 Exploit,Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60753, you might also want to check these: