Skip to content

tree-sitter-0.20.0.tgz: 4 vulnerabilities (highest severity is: 8.7) [169] #23

Description

@renovate
📂 Vulnerable Library - tree-sitter-0.20.0.tgz

Incremental parsers for node

Path to dependency file: /build/package.json

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available
CVE-2024-12905 🔴 High 8.7 Not Defined 1.3000001% tar-fs-2.1.1.tgz Transitive N/A
CVE-2025-48387 🔴 High 8.7 Not Defined < 1% tar-fs-2.1.1.tgz Transitive N/A
CVE-2025-59343 🔴 High 8.7 Not Defined < 1% tar-fs-2.1.1.tgz Transitive N/A
CVE-2022-25883 🟠 Medium 5.5 Proof of concept < 1% semver-5.7.1.tgz Transitive N/A

Details

🔴CVE-2024-12905

Vulnerable Library - tar-fs-2.1.1.tgz

filesystem bindings for tar-stream

Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • keytar-7.9.0.tgz (Root Library)

    • prebuild-install-7.0.1.tgz
      • tar-fs-2.1.1.tgz (Vulnerable Library)
  • tree-sitter-0.20.0.tgz (Root Library)

    • prebuild-install-6.1.4.tgz
      • tar-fs-2.1.1.tgz (Vulnerable Library)

Vulnerability Details

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

Publish Date: Mar 27, 2025 04:25 PM

URL: CVE-2024-12905

Threat Assessment

Exploit Maturity:Not Defined

EPSS:1.3000001%

Score: 8.7


Suggested Fix

Type: Upgrade version

Origin: mafintosh/tar-fs@a1dd7e7

Release Date: Mar 27, 2025 04:25 PM

Fix Resolution : https://github.com/mafintosh/tar-fs.git - v2.1.2,tar-fs - 3.0.8,tar-fs - 1.16.4,https://github.com/mafintosh/tar-fs.git - v1.16.4,tar-fs - 2.1.2,https://github.com/mafintosh/tar-fs.git - v3.0.8

🔴CVE-2025-48387

Vulnerable Library - tar-fs-2.1.1.tgz

filesystem bindings for tar-stream

Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • keytar-7.9.0.tgz (Root Library)

    • prebuild-install-7.0.1.tgz
      • tar-fs-2.1.1.tgz (Vulnerable Library)
  • tree-sitter-0.20.0.tgz (Root Library)

    • prebuild-install-6.1.4.tgz
      • tar-fs-2.1.1.tgz (Vulnerable Library)

Vulnerability Details

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

Publish Date: Jun 02, 2025 07:20 PM

URL: CVE-2025-48387

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7


Suggested Fix

Type: Upgrade version

Origin: GHSA-8cj5-5rvv-wf4v

Release Date: Jun 02, 2025 07:20 PM

Fix Resolution : tar-fs - 1.16.5,https://github.com/mafintosh/tar-fs.git - v3.0.9,https://github.com/mafintosh/tar-fs.git - v1.16.5,tar-fs - 3.0.9,tar-fs - 2.1.3,https://github.com/mafintosh/tar-fs.git - v2.1.3

🔴CVE-2025-59343

Vulnerable Library - tar-fs-2.1.1.tgz

filesystem bindings for tar-stream

Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz

Path to dependency file: /package.json

Dependency Hierarchy:

  • keytar-7.9.0.tgz (Root Library)

    • prebuild-install-7.0.1.tgz
      • tar-fs-2.1.1.tgz (Vulnerable Library)
  • tree-sitter-0.20.0.tgz (Root Library)

    • prebuild-install-6.1.4.tgz
      • tar-fs-2.1.1.tgz (Vulnerable Library)

Vulnerability Details

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.

Publish Date: Sep 24, 2025 05:43 PM

URL: CVE-2025-59343

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7


Suggested Fix

Type: Upgrade version

Origin: GHSA-vj76-c3g6-qr5v

Release Date: Sep 24, 2025 05:43 PM

Fix Resolution : tar-fs - 3.1.1,tar-fs - 1.16.6,tar-fs - 2.1.4

🟠CVE-2022-25883

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /build/package.json

Dependency Hierarchy:

  • tree-sitter-0.20.0.tgz (Root Library)
    • prebuild-install-6.1.4.tgz
      • node-abi-2.30.1.tgz
        • semver-5.7.1.tgz (Vulnerable Library)

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jun 21, 2023 05:00 AM

URL: CVE-2022-25883

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:< 1%

Score: 5.5


Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: Jun 21, 2023 05:00 AM

Fix Resolution : semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions