CVE-2025-69874 — nanotar is vulnerable to path traversal in parseTar() and parseTarGzip()

Description

nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.

How to fix CVE-2025-69874

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

npm/nanotar—no fix listed

Is CVE-2025-69874 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.2.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-69874
PATCHgithub.com/unjs/nanotar
WEBgithub.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69874-nanotar-Path-Traversal.md
WEBwww.npmjs.com/package/nanotar