keytar-7.9.0.tgz: 4 vulnerabilities (highest severity is: 7.5) #43
Description
Vulnerable Library - keytar-7.9.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tar-fs/package.json
Found in HEAD commit: a931f77b530aea29f7ca45b0dcd6db0d861a3320
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (keytar version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2025-59343 |  High |
7.5 | Not Defined | 0.0% | tar-fs-2.1.1.tgz | Transitive | N/A* | ❌ | |
| CVE-2025-48387 | High |
7.5 | Not Defined | 0.2% | tar-fs-2.1.1.tgz | Transitive | N/A* | ❌ | |
| CVE-2024-12905 | High |
7.5 | Not Defined | 1.3000001% | tar-fs-2.1.1.tgz | Transitive | N/A* | ❌ | |
| CVE-2022-25883 |  Medium |
5.3 | Proof of concept | 0.6% | semver-7.3.8.tgz | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2025-59343
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tar-fs/package.json
Dependency Hierarchy:
- keytar-7.9.0.tgz (Root Library)
- prebuild-install-7.1.1.tgz
- ❌ tar-fs-2.1.1.tgz (Vulnerable Library)
- prebuild-install-7.1.1.tgz
Found in HEAD commit: a931f77b530aea29f7ca45b0dcd6db0d861a3320
Found in base branch: main
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
Publish Date: 2025-09-24
URL: CVE-2025-59343
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-vj76-c3g6-qr5v
Release Date: 2025-09-24
Fix Resolution: tar-fs - 3.1.1,tar-fs - 2.1.4,tar-fs - 1.16.6
CVE-2025-48387
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tar-fs/package.json
Dependency Hierarchy:
- keytar-7.9.0.tgz (Root Library)
- prebuild-install-7.1.1.tgz
- ❌ tar-fs-2.1.1.tgz (Vulnerable Library)
- prebuild-install-7.1.1.tgz
Found in HEAD commit: a931f77b530aea29f7ca45b0dcd6db0d861a3320
Found in base branch: main
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
Publish Date: 2025-06-02
URL: CVE-2025-48387
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-8cj5-5rvv-wf4v
Release Date: 2025-06-02
Fix Resolution: tar-fs - 1.16.5,https://github.com/mafintosh/tar-fs.git - v3.0.9,https://github.com/mafintosh/tar-fs.git - v1.16.5,tar-fs - 3.0.9,tar-fs - 2.1.3,https://github.com/mafintosh/tar-fs.git - v2.1.3
CVE-2024-12905
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/tar-fs/package.json
Dependency Hierarchy:
- keytar-7.9.0.tgz (Root Library)
- prebuild-install-7.1.1.tgz
- ❌ tar-fs-2.1.1.tgz (Vulnerable Library)
- prebuild-install-7.1.1.tgz
Found in HEAD commit: a931f77b530aea29f7ca45b0dcd6db0d861a3320
Found in base branch: main
Vulnerability Details
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Publish Date: 2025-03-27
URL: CVE-2024-12905
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.3000001%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2025-03-27
Fix Resolution: https://github.com/mafintosh/tar-fs.git - v2.1.2,tar-fs - 3.0.8,tar-fs - 1.16.4,https://github.com/mafintosh/tar-fs.git - v1.16.4,tar-fs - 2.1.2,https://github.com/mafintosh/tar-fs.git - v3.0.8
CVE-2022-25883
Vulnerable Library - semver-7.3.8.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-7.3.8.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/semver/package.json
Dependency Hierarchy:
- keytar-7.9.0.tgz (Root Library)
- prebuild-install-7.1.1.tgz
- node-abi-3.28.0.tgz
- ❌ semver-7.3.8.tgz (Vulnerable Library)
- node-abi-3.28.0.tgz
- prebuild-install-7.1.1.tgz
Found in HEAD commit: a931f77b530aea29f7ca45b0dcd6db0d861a3320
Found in base branch: main
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-06-21
URL: CVE-2022-25883
Threat Assessment
Exploit Maturity: Proof of concept
EPSS: 0.6%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution: semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2