tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:19201 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):

    * automation-platform-ui: tar-fs symlink validation bypass (CVE-2025-59343)
    * python3.11-django: Potential partial directory-traversal via archive.extract() (CVE-2025-59682)
    * automation-eda-controller: Sensitive Internal Headers Disclosure in AAP EDA Event Streams     (CVE-2025-9908)
    * automation-eda-controller: Event Stream Test Mode Exposes Sensitive Headers in AAP EDA (CVE-2025-9907)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes included:

    Automation Platform
    * Fixes issue that prevents SAML and AzureAD authentication when local user accounts share the same email     address (AAP-56518)
    * Updated error handling in the Authenticator form to match other forms in the Platform UI (AAP-56356)
    * Update autocomplete settings (AAP-55783)
    * Added a step in the subscription wizard that allows the user to configure automation analytics     (AAP-55094)
    * Subscription credentials can no longer be viewed/edited from the system settings page (AAP-55014)
    * Fixed the permission list when creating a custom role and selecting the Automation Decisions project or     credential types (AAP-54756)
    * Fixed an issue where the settings did not display Red Hat consistently in the API and UI (AAP-54276)
    * Fixed an issue where the Load More in authentication mapping role dropdown did not work (AAP-54049)
    * Fixed an issue where the decision environment dropdown displayed an empty dropdown when there are no     decision environments available (AAP-53844)
    * Component label for Platform Auditor role was fixed to display all components (AAP-53551)
    * Topology layout and full screen mode were fixed (AAP-51106)
    * Empty strings are no longer displayed in the extra variables field on the Jobs > Details page     (AAP-49448)
    * Added two new toggle options on the subscription wizard to allow for fetching subscriptions using basic     authentication (AAP-47865)
    * Fixed default execution environment selection in the automation settings page (AAP-39321)
    * automation-gateway has been updated to 2.6.20251022
    * automation-gateway-proxy has been updated to 2.6.6-4
    * automation-platform-ui has been updated to 2.6.2
    * python3.11-django-ansible-base has been updated to 2.6.20251023

    Automation controller
    * The metrics endpoint no longer returns duplicate metrics(AAP-56148)
    * Fixed Platform Auditor to view controller settings (AAP-55607)
    * Added support for Red Hat username and password for the subscription management API (AAP-54975)
    * Fixed system_administrator role creation race condition (AAP-54963)
    * Improved stability on long-running jobs, clusters under heavy load and network flakiness in receptor     (AAP-53742)
    * Fixed an issue where the ansible.platform collection did not work with the default Red Hat Ansible     Automation Platform credential type (AAP-41000)
    * automation-controller has been updated to 4.7.4
    * receptor has been updated to 1.6.0

    Automation hub
    * Fixed an issue where _ui/v2/ user detail displayed the data incorrectly (AAP-54260)
    * automation-hub has been updated to 4.11.2
    * python3.11-galaxy-importer has been updated to 0.4.34
    * python3.11-galaxy-ng has been updated to 4.11.2

    Event-Driven Ansible
    * automation-eda-controller has been updated to 1.2.1

    Container-based Ansible Automation Platform
    * Fixed issue with the lightspeed containers configuration when running installation for the second time     over the existing AAP (AAP-56263)
    * Set REDHAT_CANDLEPIN_VERIFY to correct CA pem so that controller can make requests to     subscription.rhsm.redhat.com (AAP-55180)
    * Implemented ansible-core version validation (AAP-54932)
    * containerized installer setup has been updated to 2.6-2

    RPM-based Ansible Automation Platform
    * Fixed an issue where setting automationgateway_disable_https=false resulted in install failure     (AAP-55466)
    * Set REDHAT_CANDLEPIN_VERIFY to correct CA pem so that controller can make requests to     subscription.rhsm.redhat.com (AAP-55183)
    * Fixed an issue where RESOURCE_KEY SECRET_KEY was not updated when restoring from a different environment     (AAP-54942)
    * Fixed an issue where EDA DE credentials failed to populate on initial install (AAP-54519)
    * Fixed an issue where automation gateway's envoy.log did not receive logs after it was rotated     (AAP-51779)
    * ansible-automation-platform-installer and installer setup have been updated to 2.6-2

    Additional changes
    * Updated ansible-builder and ansible-navigator to use EE images from ansible-automation-platform-26     namespace by default (AAP-54934)
    * aap-metrics-utility has been updated to 0.6.1
    * ansible-builder has been updated to 3.1.0-2
    * ansible-navigator has been updated to 25.8.0-2
    * python3.11-daemon has been updated to 3.1.2
    * python3.11-django has been updated to 4.2.25

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-ee9e7fb981 advisory.

    Fix CVE-2025-59343.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:18979 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):

    * python3.11-django: Potential partial directory-traversal via archive.extract() (CVE-2025-59682)
    * automation-gateway: tar-fs symlink validation bypass (CVE-2025-59343)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes included:

    Automation Platform
    * Azure AD authentication now searches more fields to find the username override field specified. If not     found it will log a warning message indicating which fields are valid (AAP-53789)
    * Support TLSv1.3 on server-to-server requests, where previously services which only supported TLSv1.3     would not work (AAP-49456)
    * Added a step in the subscription wizard that allows the user to configure automation analytics     (AAP-55094)
    * Subscription credentials can no longer be viewed/edited from the system settings page (AAP-55014)
    * Fixed an issue where the settings displayed Red Hat inconsistently in the API and UI (AAP-54277)
    * Fixed a bug where platform auditors were not able to see Automation Execution and Platform level     settings (AAP-53975)
    * Fixed an issue where some fields were missing the autocomplete = new-password setting (AAP-53934)
    * Fixed an issue where AAP could not set/create a playbook when using branch override (AAP-52566)
    * Empty strings are no longer displayed in the extra variables field on the Jobs > Details page     (AAP-49448)
    * Added two new toggle options on the subscription wizard to allow for fetching subscriptions using basic     authentication (AAP-47865)
    * Fixed validation of prompt-on-launch credentials in a workflow job template (AAP-40540)
    * Fixed an issue for comments in extra vars sections, all comments in YAML are now persisted on create and     edit operations for a resource (AAP-37071)
    * Updated error handling in the Authenticator form to match other forms in the Platform UI (AAP-22928)
    * automation-gateway has been updated to 2.5.20251022
    * automation-gateway-proxy has been updated to 2.5.10-3 for RHEL8
    * automation-gateway-proxy has been updated to 2.6.6-4 for RHEL9
    * python3.11-django-ansible-base has been updated to 2.5.20251022

    Automation controller
    * Fixed an issue where the ansible.platform collection did not work with the default Red Hat Ansible     Automation Platform credential type (AAP-55685)
    * Fixed an issue in callback receiver and dispatcher crash loop state caused by re-running the installer     with modified inventory hostname (AAP-55638)
    * Added support for Red Hat username and password for the subscription management API (AAP-54976)
    * Fixes system_administrator role creation race condition which most commonly happened on new openshift     deployments resulting in the default instance group not being created (AAP-54964)
    * Fixed an issue where Grafana notifications couldn't have an empty dashboard ID or panel ID (AAP-54654)
    * Improved stability on long-running jobs, clusters under heavy load and network flakiness in receptor     (AAP-53742)
    * Fixed Platform Auditor to view controller settings (AAP-53345)
    * Added missing instruction to set an environment variable in the CLI in order to achieve compatibility     with the current release (AAP-37812)
    * Fixed Platform Auditor to view Metrics API endpoint (AAP-36492)
    * automation-controller has been updated to 4.6.21
    * receptor has been updated to 1.6.0

    Automation hub
    * Fixed an issue where _ui/v2/ user detail displayed the data correctly (AAP-55957)
    * automation-hub has been updated to 4.10.9
    * python3.11-galaxy-ng has been updated to 4.10.9
    * python3.11-galaxy-importer has been updated to 0.4.34

    Container-based Ansible Automation Platform
    * Set REDHAT_CANDLEPIN_VERIFY to correct CA pem so that controller can make requests to     subscription.rhsm.redhat.com (AAP-55181)
    * Implemented preflight ansible-core version validation (AAP-54931)
    * Fixed a bug where Ansible would fail to gather the system's UUID for Linux on Power (AAP-54540)
    * containerized installer setup has been updated to 2.5-20

    RPM-based Ansible Automation Platform
    * Fixed an issue where setting automationgateway_disable_https=false resulted in install failure     (AAP-55475)
    * Set REDHAT_CANDLEPIN_VERIFY to correct CA pem so that controller can make requests to     subscription.rhsm.redhat.com (AAP-55184)
    * Fixed issue where RESOURCE_KEY SECRET_KEY was not updated when restoring from a different environment     (AAP-54944)
    * Fixed issue where EDA DE credentials failed to populate on initial install (AAP-54520)
    * Fixed an issue where automation gateway's envoy.log did not receive logs after it was rotated     (AAP-54079)
    * ansible-automation-platform-installer and installer setup have been updated to 2.5-19

    Additional changes
    * python3.11-django has been updated to 4.2.25

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-4dd58248ff advisory.

    Fix CVE-2025-59343.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-418da1e0e6 advisory.

    Fix CVE-2025-59343.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are     vulnerable to symlink validation bypass if the destination directory is predictable with a specific     tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the     ignore option on non files/directories. (CVE-2025-59343)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dla-4313 advisory.

    -lts-announce@lists.debian.org     Subject: [SECURITY] [DLA 4313-1] node-tar-fs security update

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4313-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                                 Yadd     September 27, 2025                            https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : node-tar-fs     Version        : 2.1.3-0+deb11u2     CVE ID         : CVE-2025-59343     Debian Bug     :

    node-tar-fs versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to     symlink validation bypass if the destination directory is predictable     with a specific tarball.

    For Debian 11 bullseye, this problem has been fixed in version     2.1.3-0+deb11u2.

    We recommend that you upgrade your node-tar-fs packages.

    For the detailed security status of node-tar-fs please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/node-tar-fs

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has a package installed that is affected by a vulnerability as referenced in the dsa-6013 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6013-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     September 28, 2025                    https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : node-tar-fs     CVE ID         : CVE-2025-59343

    It was discovered that the symlink validation in node-tar-fs, a Node.js     module that provides filesystem-like access to tar files, could be     bypassed.

    For the oldstable distribution (bookworm), this problem has been fixed     in version 2.1.3-0+deb12u2.

    For the stable distribution (trixie), this problem has been fixed in     version 3.0.9+~cs2.0.4-1+deb13u1.

    We recommend that you upgrade your node-tar-fs packages.

    For the detailed security status of node-tar-fs please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/node-tar-fs

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
271928	RHEL 9 : Red Hat Ansible Automation Platform 2.6 Product Security and Bug Fix Update (Important) (RHSA-2025:19201)	Nessus	Red Hat Local Security Checks	high
271470	Fedora 43 : yarnpkg (2025-ee9e7fb981)	Nessus	Fedora Local Security Checks	high
271208	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update (Important) (RHSA-2025:18979)	Nessus	Red Hat Local Security Checks	high
269778	Fedora 41 : yarnpkg (2025-4dd58248ff)	Nessus	Fedora Local Security Checks	high
269758	Fedora 42 : yarnpkg (2025-418da1e0e6)	Nessus	Fedora Local Security Checks	high
266032	Linux Distros Unpatched Vulnerability : CVE-2025-59343	Nessus	Misc.	high
266028	Debian dla-4313 : node-tar-fs - security update	Nessus	Debian Local Security Checks	high
266026	Debian dsa-6013 : node-tar-fs - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2025-59343

high

Tenable Plugins

high

high

high

high

high

high

high

high