tar Reader Denial of Service

MEDIUM (4.3) No Patch (51 days)
denial-of-servicegnusparse-regiontarvulnerability

Threat Intelligence

Low Risk
EPSS Score: 0.01% chance of exploitation (percentile: 2%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

The tar.Reader library is a part of the GNU tar package, used to read and extract archives. A maliciously-crafted archive containing sparse regions can cause the Reader to consume excessive memory, leading to a denial-of-service (DoS) condition.

Am I affected?

You're affected if you use GNU tar versions 1.32.0-2ubuntu1~20.04.3+1~20.04.4 or earlier on Ubuntu systems, or any other version that doesn't set a maximum size for sparse region data blocks. Check with: tar --version to see the exact version.

Note: This is not directly related to tar.Reader in Go, which has a different CVE (CVE-2025-4014). The current CVE affects GNU tar on Linux systems.

Affected Packages

go: github.com/mozilla/safety-net-go

Affected Products

GNU Project / GNU tar

How to fix

  1. Upgrade to GNU tar 1.32.0-2ubuntu1~20.04.3+1~20.04.4 or later on Ubuntu systems.
  2. For Ubuntu: sudo apt-get update && sudo apt-get install tar=1.32.0-2ubuntu1~20.04.3+1~20.04.4
  3. Immediate mitigations:
  4. Restrict network access to your system (firewall it from the public internet)
  5. Monitor for unusual archive sizes or patterns

References