CVE-2025-60753

EUVD-2025-37900
An issue was discovered in libarchive bsdtar before version 3.8.1 in function apply_substitution in file tar/subst.c when processing crafted -s substitution rules. This can cause unbounded memory allocation and lead to denial of service (Out-of-Memory crash).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
libarchivelibarchive
𝑥
≤ 3.8.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libarchive
bookworm
unimportant
bookworm (security)
unimportant
bullseye
unimportant
bullseye (security)
unimportant
forky
3.8.5-1
fixed
sid
3.8.5-1
fixed
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libarchive
bionic
Fixed 3.2.2-3.1ubuntu0.7+esm2
released
focal
Fixed 3.4.0-2ubuntu1.5+esm1
released
jammy
Fixed 3.6.0-1ubuntu1.6
released
noble
Fixed 3.7.2-2ubuntu0.6
released
plucky
ignored
questing
Fixed 3.7.7-0ubuntu3.1
released
trusty
Fixed 3.1.2-7ubuntu2.8+esm4
released
xenial
Fixed 3.1.2-11ubuntu0.16.04.8+esm2
released
Common Weakness Enumeration
References
https://github.com/Papya-j/CVE/tree/main/CVE-2025-60753
https://github.com/libarchive/libarchive/issues/2725