{"id":"AZL-62236","summary":"CVE-2025-48387 affecting package reaper for versions less than 3.1.1-19","details":"tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.","modified":"2026-04-01T05:20:01.935626Z","published":"2025-06-02T20:15:22Z","upstream":["CVE-2025-48387"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-48387"}],"affected":[{"package":{"name":"reaper","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/reaper"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.1-19"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-62236.json"}}],"schema_version":"1.7.5"}