Nanotar
CVE-2025-69874
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.
AnalysisAI
Path traversal in nanotar npm package through 0.2.0. The parseTar() and parseTarGzip() functions allow attackers to write files outside the extraction directory.
Technical ContextAI
CWE-22 path traversal in TAR extraction. Malicious TAR archives can write files to arbitrary locations.
RemediationAI
Update nanotar beyond 0.2.0.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-92fh-27vv-894w