Mathias Buus

4 exploits Active since Apr 2019
CVE-2018-20835 WRITEUP HIGH WRITEUP
Tar-fs < 1.16.2 - Improper Input Validation
A vulnerability was found in tar-fs before 1.16.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.
CVSS 7.5
CVE-2021-23386 WRITEUP HIGH WRITEUP
dns-packet <5.2.2 - Info Disclosure
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.
CVSS 7.7
CVE-2025-48387 WRITEUP HIGH WRITEUP
tar-fs <3.0.9, <2.1.3, <1.16.5 - Path Traversal
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
CVE-2025-59343 WRITEUP HIGH WRITEUP
NPM Tar-fs < 3.1.1 - Path Traversal
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.