CVE-2025-25724

low-risk

Published 2025-03-02

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.

Do I need to act?

0.03% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.0/10 Medium

LOCAL / HIGH complexity

Affected Products (1)

Libarchive

Affected Vendors

Libarchive

References (3)

Third Party Advisory https://gist.github.com/Ekkosun/a83870ce7f3b7813b9b462a395e8ad92

Exploit https://github.com/Ekkosun/pocs/blob/main/bsdtarbug

Product https://github.com/libarchive/libarchive/blob/b439d586f53911c84be5e380445a8a259e...

/ 100

low-risk

Severity 10/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal