Cyber Posture

CVE-2025-69874

CriticalPublic PoC

Published: 11 February 2026

Published
11 February 2026
Modified
03 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely remediation of the path traversal flaw in nanotar through 0.2.0 directly eliminates the vulnerability in parseTar() and parseTarGzip() functions.

SI-10 Information Input Validation good match
prevent

Validates information inputs such as tar archive paths to block path traversal sequences and prevent arbitrary file writes outside the extraction directory.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on processes using nanotar to limit the scope of arbitrary file writes even if path traversal succeeds.

Security SummaryAI

CVE-2025-69874 is a path traversal vulnerability (CWE-22) in the nanotar npm package through version 0.2.0. The flaw affects the parseTar() and parseTarGzip() functions, which do not properly sanitize path traversal sequences in crafted tar archives, enabling extraction of files outside the intended directory.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying a malicious tar archive, attackers can achieve arbitrary file writes on the target system, potentially leading to full compromise through overwrite of critical files.

Mitigation details and further analysis are available in the primary advisory at https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69874-nanotar-Path-Traversal.md, along with the project repository at https://github.com/unjs/nanotar and package page at https://www.npmjs.com/package/nanotar.

Details

CWE(s)
CWE-22

Affected Products

unjs
nanotar
≤ 0.2.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Path traversal vulnerability in nanotar allows remote unauthenticated arbitrary file writes via crafted tar archives, directly enabling exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References