CVE-2025-25724

Published: Mar 2, 2025

Modified: Mar 4, 2025

PUBLISHED

CVSS v3.1

4.0

MEDIUM

Description

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.

Vendor	Product	Versions
libarchive	libarchive	affected `0 - <= 3.7.7`

Weaknesses (CWE)

CWE-252

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

References

https://github.com/Ekkosun/pocs/blob/main/bsdtarbug

https://github.com/libarchive/libarchive/blob/b439d586f53911c84be5e380445a8a259e19114c/tar/util.c#L751-L752

https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-25724

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References