CVE-2025-46394
3.2 LOWIn tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences
Published: 2025-04-23 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 3.2 LOW
- Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N
- CWE
- CWE-451
Affected products
| Vendor | Product |
|---|---|
| busybox | busybox |
Description
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-46394
- [Other]https://bugs.busybox.net/show_bug.cgi?id=16018
- [Other]https://www.busybox.net
- [Other]https://www.busybox.net/downloads/
- [Other]http://www.openwall.com/lists/oss-security/2025/04/23/5
- [Other]http://www.openwall.com/lists/oss-security/2025/04/24/3
- [Other]https://cert-portal.siemens.com/productcert/html/ssa-253495.html
Related CVEs
Same vendor
- CVE-2025-60876 — BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the... (6.5 MEDIUM)
Same CWE
- CVE-2026-45650 — User interface (ui) misrepresentation of critical information in Microsoft Bing allows an unauthorized attacker to perform spoofing over ... (4.3 MEDIUM)
- CVE-2026-11300 — Inappropriate implementation in Permissions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via ... (4.3 MEDIUM)
- CVE-2026-11294 — Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to perform UI spoofing via a ... (4.3 MEDIUM)
- CVE-2026-11286 — Insufficient validation of untrusted input in Wallet in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromise... (4.3 MEDIUM)
- CVE-2026-11285 — Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 149.0.7827.53 allowed a remote attacker to perform UI spo... (4.3 MEDIUM)