CVE-2025-25724

HIGH EPSS 24.7%
Published Mar 2, 20251y ago · Modified Jun 17, 20261w ago
7.8 CVSS 3.1
High
Find Similar
Published Mar 2, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
24.7% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-252

Affected Products 1

VendorProductVersionRange
libarchivelibarchive* ≤3.7.7

References 3

  • gist.github.com https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92
    Third Party Advisory
  • github.com https://github.com/Ekkosun/pocs/blob/main/bsdtarbug
    Exploit
  • github.com https://github.com/libarchive/libarchive/blob/b439d586f53911c84be5e380445a8a259e19114c/tar/util.c#L751-L752
    Product

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.