DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-69874: nanotar Zip Slip: When "Lightweight" Means "Security Optional"

#security #cve #cybersecurity

nanotar Zip Slip: When "Lightweight" Means "Security Optional"

Vulnerability ID: CVE-2025-69874
CVSS Score: 7.5
Published: 2026-02-11

A high-severity Path Traversal (Zip Slip) vulnerability exists in nanotar versions <= 0.2.0. The library, designed as a lightweight tar parser for the UnJS ecosystem, fails to sanitize file paths extracted from tar headers. This oversight allows attackers to craft malicious archives containing file names like ../../../etc/passwd. When a developer uses nanotar to extract these archives—a primary use case for the library—the malicious paths facilitate arbitrary file writes outside the intended destination directory, potentially leading to Remote Code Execution (RCE) via configuration overwrite.

TL;DR

nanotar <= 0.2.0 trusts tar headers blindly. Attackers can include filenames with ../ sequences (Zip Slip) in archives. If you extract a malicious tarball using this library without manually validating paths, the attacker can overwrite any file your application has write access to (e.g., SSH keys, source code, config files).

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability ID: CVE-2025-69874
  • CWE ID: CWE-22 (Path Traversal)
  • CVSS v3.1: 7.5 (High)
  • Attack Vector: Network
  • Impact: Arbitrary File Write / RCE
  • Exploit Status: PoC Available

Affected Systems

  • nanotar <= 0.2.0
  • Node.js applications using nanotar for file extraction
  • UnJS ecosystem tools relying on raw nanotar output
  • nanotar: <= 0.2.0 (Fixed in: N/A (Manual Mitigation Required))

Exploit Details

Mitigation Strategies

  • Application-Layer Validation: Always validate paths after resolving them.
  • Least Privilege: Run the Node.js process with a user that has write access only to the specific upload/extract directory.
  • Input Sanitization: Reject tar archives containing '..' in filenames during the upload phase if possible.

Remediation Steps:

  1. Locate all instances of parseTar or parseTarGzip in your codebase.
  2. Identify the loop where files are written to disk.
  3. Insert a path canonicalization check using path.resolve.
  4. Ensure the resolved path starts with the intended destination directory.
  5. Throw an exception or skip entries that fail this check.

References

Read the full report for CVE-2025-69874 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)