Vulnerability Details : CVE-2025-25724
list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
Vulnerability category: Denial of service
Products affected by CVE-2025-25724
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2025-25724
0.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2025-25724
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L |
N/A
|
N/A
|
MITRE | 2025-03-02 |
|
4.0
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L |
1.4
|
2.5
|
MITRE | 2025-03-02 |
CWE ids for CVE-2025-25724
-
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.Assigned by:
- 8254265b-2729-46b6-b9e3-3dfca2d5bfca (Primary)
- cve@mitre.org (Secondary)
References for CVE-2025-25724
-
https://github.com/Ekkosun/pocs/blob/main/bsdtarbug
pocs/bsdtarbug at main · Ekkosun/pocs · GitHub
-
https://github.com/libarchive/libarchive/blob/b439d586f53911c84be5e380445a8a259e19114c/tar/util.c#L751-L752
libarchive/tar/util.c at b439d586f53911c84be5e380445a8a259e19114c · libarchive/libarchive · GitHub
-
https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92
OPTFuzz · GitHub
Jump to