tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-ad2565414f advisory.

    Fix CVE-2025-48387.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-732290e75c advisory.

    Fix CVE-2025-48387.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-4214 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4214-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Adrian Bunk     June 11, 2025                                 https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : node-tar-fs     Version        : 2.1.3-0+deb11u1     CVE ID         : CVE-2024-12905 CVE-2025-48387     Debian Bug     : 1101501

    Path traversal has been fixed in node-tar-fs, a Node.js module that     provides filesystem-like access to tar files.

    CVE-2024-12905

        symlink path traversal

    CVE-2025-48387

        hardlink path traversal

    For Debian 11 bullseye, these problems have been fixed in version     2.1.3-0+deb11u1.

    We recommend that you upgrade your node-tar-fs packages.

    For the detailed security status of node-tar-fs please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/node-tar-fs

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
238420	Fedora 41 : yarnpkg (2025-ad2565414f)	Nessus	Fedora Local Security Checks	high
238370	Fedora 42 : yarnpkg (2025-732290e75c)	Nessus	Fedora Local Security Checks	high
238247	Debian dla-4214 : node-tar-fs - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2025-48387

high

Tenable Plugins

high

high

high