{ "threat_severity" : "Important", "public_date" : "2025-09-24T17:43:34Z", "bugzilla" : { "description" : "tar-fs: tar-fs symlink validation bypass", "id" : "2397901", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2397901" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-22", "details" : [ "tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.", "A symlink validation bypass flaw has been discovered in the npm tar-fs library. Affected versions are vulnerable to a symlink validation bypass if the destination directory is predictable with a specific tarball." ], "affected_release" : [ { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-10-06T00:00:00Z", "advisory" : "RHSA-2025:17376", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-agent-init-rhel9:0.5.3-2" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-10-06T00:00:00Z", "advisory" : "RHSA-2025:17376", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-db-rhel9:4.0.3-2" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-10-06T00:00:00Z", "advisory" : "RHSA-2025:17376", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-grafana-dashboard-rhel9:4.0.3-2" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-10-06T00:00:00Z", "advisory" : "RHSA-2025:17376", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-openshift-console-plugin-rhel9:4.0.3-2" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-10-06T00:00:00Z", "advisory" : "RHSA-2025:17376", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-operator-bundle:4.0.3-2" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-10-06T00:00:00Z", "advisory" : "RHSA-2025:17376", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-ose-oauth-proxy-rhel9:4.0.3-2" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-10-06T00:00:00Z", "advisory" : "RHSA-2025:17376", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-reports-rhel9:4.0.3-2" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-10-06T00:00:00Z", "advisory" : "RHSA-2025:17376", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-rhel9:4.0.3-2" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-10-06T00:00:00Z", "advisory" : "RHSA-2025:17376", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-rhel9-operator:4.0.3-2" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-10-06T00:00:00Z", "advisory" : "RHSA-2025:17376", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/cryostat-storage-rhel9:4.0.3-2" }, { "product_name" : "Cryostat 4 on RHEL 9", "release_date" : "2025-10-06T00:00:00Z", "advisory" : "RHSA-2025:17376", "cpe" : "cpe:/a:redhat:cryostat:4::el9", "package" : "cryostat/jfr-datasource-rhel9:4.0.3-2" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-10-22T00:00:00Z", "advisory" : "RHSA-2025:18979", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "automation-gateway-0:2.5.20251022-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-10-22T00:00:00Z", "advisory" : "RHSA-2025:18979", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "automation-gateway-0:2.5.20251022-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6 for RHEL 9", "release_date" : "2025-10-28T00:00:00Z", "advisory" : "RHSA-2025:19201", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "automation-platform-ui-0:2.6.2-1.el9ap" }, { "product_name" : "Multicluster Global Hub 1.6.2", "release_date" : "2026-03-31T00:00:00Z", "advisory" : "RHSA-2026:6226", "cpe" : "cpe:/a:redhat:multicluster_globalhub:1.6::el9", "package" : "multicluster-globalhub/multicluster-globalhub-grafana-rhel9:sha256:035d205705b2efd62713bea9d05cffdc5db7a437f050c4a3e3f12746b05c29d4" }, { "product_name" : "Red Hat Ansible Automation Platform 2.6", "release_date" : "2025-10-28T00:00:00Z", "advisory" : "RHSA-2025:19221", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.6::el9", "package" : "ansible-automation-platform-26/gateway-rhel9:sha256:3dce912c04e50532020ef82da326f495f9a191a834c393081d6b3d2a9247f986" }, { "product_name" : "Red Hat Developer Hub 1.7", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19529", "cpe" : "cpe:/a:redhat:rhdh:1.7::el9", "package" : "rhdh/rhdh-hub-rhel9:sha256:385d0b730e3f14f6878221d817b58d31da560c2edc52235b74bbbd8324b29389" }, { "product_name" : "Red Hat OpenShift Dev Spaces (RHOSDS) 3.24", "release_date" : "2025-10-23T00:00:00Z", "advisory" : "RHSA-2025:19094", "cpe" : "cpe:/a:redhat:openshift_devspaces:3.24::el9", "package" : "devspaces/code-rhel9:sha256:36fc35cd401140f3df7c45b8cd5682b7468a5dc8a6288d999508a2c50484eada" }, { "product_name" : "Red Hat OpenShift Dev Spaces (RHOSDS) 3.24", "release_date" : "2025-10-23T00:00:00Z", "advisory" : "RHSA-2025:19094", "cpe" : "cpe:/a:redhat:openshift_devspaces:3.24::el9", "package" : "devspaces/openvsx-rhel9:sha256:11d71f82faabf36868cf538a6242b600854e4bc9bcf4fb8f875ffc0487b28053" }, { "product_name" : "Red Hat OpenShift Dev Spaces (RHOSDS) 3.24", "release_date" : "2025-10-23T00:00:00Z", "advisory" : "RHSA-2025:19094", "cpe" : "cpe:/a:redhat:openshift_devspaces:3.24::el9", "package" : "devspaces/pluginregistry-rhel9:sha256:080273ea4bc751a33eb7451aab099b40eab46ca2b90685e661f478e45c962b71" } ], "package_state" : [ { "product_name" : "Cryostat 4", "fix_state" : "Affected", "package_name" : "cryostat/cryostat-openshift-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:cryostat:4" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/kibana6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/cluster-logging-operator-bundle", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/cluster-logging-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/eventrouter-rhel9", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/log-file-metric-exporter-rhel9", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/vector-rhel9", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Multicluster Engine for Kubernetes", "fix_state" : "Not affected", "package_name" : "multicluster-engine/console-mce-rhel9", "cpe" : "cpe:/a:redhat:multicluster_engine" }, { "product_name" : "Node HealthCheck Operator", "fix_state" : "Not affected", "package_name" : "workload-availability/node-healthcheck-must-gather-rhel9", "cpe" : "cpe:/a:redhat:workload_availability_nhc:0" }, { "product_name" : "Node HealthCheck Operator", "fix_state" : "Not affected", "package_name" : "workload-availability/node-healthcheck-operator-bundle", "cpe" : "cpe:/a:redhat:workload_availability_nhc:0" }, { "product_name" : "Node HealthCheck Operator", "fix_state" : "Not affected", "package_name" : "workload-availability/node-healthcheck-rhel9-operator", "cpe" : "cpe:/a:redhat:workload_availability_nhc:0" }, { "product_name" : "Node HealthCheck Operator", "fix_state" : "Affected", "package_name" : "workload-availability/node-remediation-console-rhel9", "cpe" : "cpe:/a:redhat:workload_availability_nhc:0" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-hub-api-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-hub-db-migration-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Affected", "package_name" : "openshift-pipelines/pipelines-hub-ui-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/console-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Ceph Storage 6", "fix_state" : "Affected", "package_name" : "pybind", "cpe" : "cpe:/a:redhat:ceph_storage:6" }, { "product_name" : "Red Hat Ceph Storage 7", "fix_state" : "Affected", "package_name" : "pybind", "cpe" : "cpe:/a:redhat:ceph_storage:7" }, { "product_name" : "Red Hat Ceph Storage 8", "fix_state" : "Affected", "package_name" : "pybind", "cpe" : "cpe:/a:redhat:ceph_storage:8" }, { "product_name" : "Red Hat Ceph Storage 9", "fix_state" : "Affected", "package_name" : "pybind", "cpe" : "cpe:/a:redhat:ceph_storage:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "io.syndesis-syndesis-parent", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "org.keycloak-keycloak-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.keycloak-keycloak-parent", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-console-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Openshift Data Foundation 4", "fix_state" : "Not affected", "package_name" : "odf4/mcg-core-rhel9", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/code-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/code-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Not affected", "package_name" : "devspaces/pluginregistry-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/pluginregistry-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Will not fix", "package_name" : "devspaces-tech-preview/idea-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-59343\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59343\nhttps://github.com/mafintosh/tar-fs/commit/0bd54cdf06da2b7b5b95cd4b062c9f4e0a8c4e09\nhttps://github.com/mafintosh/tar-fs/security/advisories/GHSA-vj76-c3g6-qr5v" ], "name" : "CVE-2025-59343", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }