tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8367-1 advisory.

    It was discovered that tar-fs did not properly limit paths when extracting crafted tar files. An attacker     could possibly use this issue to write or overwrite files outside the intended extraction directory. This     issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-12905)

    It was discovered that tar-fs did not properly validate extraction paths for certain crafted tar archives.
    An attacker could possibly use this issue to write files outside the intended extraction directory. This     issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-48387)

    It was discovered that tar-fs had a symlink validation bypass when extracting crafted tar files. An     attacker could possibly use this issue to write files outside the intended extraction directory.
    (CVE-2025-59343)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-101479 advisory.

  - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an     issue where an extract can write outside the specified dir with a specific tarball. This has been patched     in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non     files/directories. (CVE-2025-48387)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an     issue where an extract can write outside the specified dir with a specific tarball. This has been patched     in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non     files/directories. (CVE-2025-48387)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of reaper installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-48387 advisory.

  - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an     issue where an extract can write outside the specified dir with a specific tarball. This has been patched     in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non     files/directories. (CVE-2025-48387)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-ad2565414f advisory.

    Fix CVE-2025-48387.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-732290e75c advisory.

    Fix CVE-2025-48387.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-4214 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4214-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Adrian Bunk     June 11, 2025                                 https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : node-tar-fs     Version        : 2.1.3-0+deb11u1     CVE ID         : CVE-2024-12905 CVE-2025-48387     Debian Bug     : 1101501

    Path traversal has been fixed in node-tar-fs, a Node.js module that     provides filesystem-like access to tar files.

    CVE-2024-12905

        symlink path traversal

    CVE-2025-48387

        hardlink path traversal

    For Debian 11 bullseye, these problems have been fixed in version     2.1.3-0+deb11u1.

    We recommend that you upgrade your node-tar-fs packages.

    For the detailed security status of node-tar-fs please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/node-tar-fs

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
318627	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : tar-fs vulnerabilities (USN-8367-1)	Nessus	Ubuntu Local Security Checks	high
282323	Atlassian Confluence < 8.5.10 / 8.6.x < 9.2.5 / 9.3.x < 9.3.1 / 9.4.x < 9.5.1 / 10.0.x < 10.0.2 (CONFSERVER-101479)	Nessus	CGI abuses	high
248176	Linux Distros Unpatched Vulnerability : CVE-2025-48387	Nessus	Misc.	high
241878	CBL Mariner 2.0 Security Update: reaper (CVE-2025-48387)	Nessus	MarinerOS Local Security Checks	high
238420	Fedora 41 : yarnpkg (2025-ad2565414f)	Nessus	Fedora Local Security Checks	high
238370	Fedora 42 : yarnpkg (2025-732290e75c)	Nessus	Fedora Local Security Checks	high
238247	Debian dla-4214 : node-tar-fs - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2025-48387

high

Tenable Plugins

high

high

high

high

high

high

high