📂 Vulnerable Library - tree-sitter-0.20.0.tgz
Incremental parsers for node
Path to dependency file: /build/package.json
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
| CVE-2024-12905 |
🔴 High |
8.7 |
Not Defined |
1.3000001% |
tar-fs-2.1.1.tgz |
Transitive |
N/A |
❌ |
| CVE-2025-48387 |
🔴 High |
8.7 |
Not Defined |
< 1% |
tar-fs-2.1.1.tgz |
Transitive |
N/A |
❌ |
| CVE-2025-59343 |
🔴 High |
8.7 |
Not Defined |
< 1% |
tar-fs-2.1.1.tgz |
Transitive |
N/A |
❌ |
| CVE-2022-25883 |
🟠 Medium |
5.5 |
Proof of concept |
< 1% |
semver-5.7.1.tgz |
Transitive |
N/A |
❌ |
Details
🔴CVE-2024-12905
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Publish Date: Mar 27, 2025 04:25 PM
URL: CVE-2024-12905
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.3000001%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: mafintosh/tar-fs@a1dd7e7
Release Date: Mar 27, 2025 04:25 PM
Fix Resolution : https://github.com/mafintosh/tar-fs.git - v2.1.2,tar-fs - 3.0.8,tar-fs - 1.16.4,https://github.com/mafintosh/tar-fs.git - v1.16.4,tar-fs - 2.1.2,https://github.com/mafintosh/tar-fs.git - v3.0.8
🔴CVE-2025-48387
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
Publish Date: Jun 02, 2025 07:20 PM
URL: CVE-2025-48387
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-8cj5-5rvv-wf4v
Release Date: Jun 02, 2025 07:20 PM
Fix Resolution : tar-fs - 1.16.5,https://github.com/mafintosh/tar-fs.git - v3.0.9,https://github.com/mafintosh/tar-fs.git - v1.16.5,tar-fs - 3.0.9,tar-fs - 2.1.3,https://github.com/mafintosh/tar-fs.git - v2.1.3
🔴CVE-2025-59343
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
Publish Date: Sep 24, 2025 05:43 PM
URL: CVE-2025-59343
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-vj76-c3g6-qr5v
Release Date: Sep 24, 2025 05:43 PM
Fix Resolution : tar-fs - 3.1.1,tar-fs - 1.16.6,tar-fs - 2.1.4
🟠CVE-2022-25883
Vulnerable Library - semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /build/package.json
Dependency Hierarchy:
- tree-sitter-0.20.0.tgz (Root Library)
- prebuild-install-6.1.4.tgz
- node-abi-2.30.1.tgz
- ❌ semver-5.7.1.tgz (Vulnerable Library)
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 21, 2023 05:00 AM
URL: CVE-2022-25883
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: Jun 21, 2023 05:00 AM
Fix Resolution : semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2
📂 Vulnerable Library - tree-sitter-0.20.0.tgz
Incremental parsers for node
Path to dependency file: /build/package.json
Findings
Details
🔴CVE-2024-12905
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
keytar-7.9.0.tgz (Root Library)
tree-sitter-0.20.0.tgz (Root Library)
Vulnerability Details
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Publish Date: Mar 27, 2025 04:25 PM
URL: CVE-2024-12905
Threat Assessment
Exploit Maturity:Not Defined
EPSS:1.3000001%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: mafintosh/tar-fs@a1dd7e7
Release Date: Mar 27, 2025 04:25 PM
Fix Resolution : https://github.com/mafintosh/tar-fs.git - v2.1.2,tar-fs - 3.0.8,tar-fs - 1.16.4,https://github.com/mafintosh/tar-fs.git - v1.16.4,tar-fs - 2.1.2,https://github.com/mafintosh/tar-fs.git - v3.0.8
🔴CVE-2025-48387
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
keytar-7.9.0.tgz (Root Library)
tree-sitter-0.20.0.tgz (Root Library)
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.
Publish Date: Jun 02, 2025 07:20 PM
URL: CVE-2025-48387
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-8cj5-5rvv-wf4v
Release Date: Jun 02, 2025 07:20 PM
Fix Resolution : tar-fs - 1.16.5,https://github.com/mafintosh/tar-fs.git - v3.0.9,https://github.com/mafintosh/tar-fs.git - v1.16.5,tar-fs - 3.0.9,tar-fs - 2.1.3,https://github.com/mafintosh/tar-fs.git - v2.1.3
🔴CVE-2025-59343
Vulnerable Library - tar-fs-2.1.1.tgz
filesystem bindings for tar-stream
Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz
Path to dependency file: /package.json
Dependency Hierarchy:
keytar-7.9.0.tgz (Root Library)
tree-sitter-0.20.0.tgz (Root Library)
Vulnerability Details
tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.3, and 1.16.5 are vulnerable to symlink validation bypass if the destination directory is predictable with a specific tarball. This issue has been patched in version 3.1.1, 2.1.4, and 1.16.6. A workaround involves using the ignore option on non files/directories.
Publish Date: Sep 24, 2025 05:43 PM
URL: CVE-2025-59343
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-vj76-c3g6-qr5v
Release Date: Sep 24, 2025 05:43 PM
Fix Resolution : tar-fs - 3.1.1,tar-fs - 1.16.6,tar-fs - 2.1.4
🟠CVE-2022-25883
Vulnerable Library - semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /build/package.json
Dependency Hierarchy:
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Jun 21, 2023 05:00 AM
URL: CVE-2022-25883
Threat Assessment
Exploit Maturity:Proof of concept
EPSS:< 1%
Score: 5.5
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: Jun 21, 2023 05:00 AM
Fix Resolution : semver - 5.7.2,6.3.1,7.5.2;org.webjars.npm:semver:7.5.2