CVE-2025-48387 – Tar extraction path traversal (write outside target directory)

Severity: None2025-XX-YY

Security Advisories

Abstract

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

The Oxygen products incorporate the tar-fs package (via dockerode) in the Content Fusion config-server component. This advisory was opened to address the potential impact of this third‑party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v8.1 and olderNoneOxygen Content Fusion 8.1 build 2025062312

Mitigation

None

Detail

CVE-2025-48387

Severity: High

CVSS Score: 8.7

tar-fs versions prior to 3.0.9, 2.1.3, and 1.16.5 allow a crafted tar archive to extract files outside the intended destination directory, resulting in writes outside the specified path. The issue is patched in tar-fs 3.0.9, 2.1.3, and 1.16.5. A documented workaround is to use the ignore option to exclude non-file/directory entries.

Our assessment concludes the affected functionality is not invoked in product runtime. Therefore, the issue is not exploitable in supported configurations.

Starting with Oxygen Content Fusion version 8.1 build 2025062312 this issue was fixed by upgrading the dependency to a non-vulnerable version.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Vibe Authoring with Oxygen AI Positron 8.0
January 21, 2026

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor