Skip to main content
Version: latest

CVE-2025-25724

CVE Details

Visit the official vulnerability details page for CVE-2025-25724 to learn more.

Initial Publication

03/05/2025

Last Update

09/02/2025

Third Party Dependency

libarchive

NIST CVE Summary

list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.

CVE Severity

7.8

Our Official Summary

A vulnerability exists in the list_item_verbose function (located in tar/util.c) of libarchive versions up to 3.7.7, where the return value of strftime() is not properly checked during time formatting. If the formatted date exceeds the 100-byte buffer—particularly when using custom locales with verbose listing level 2—this could lead to a denial of service (DoS) or other unpredictable behavior.

However, the affected container images are subject to strict access controls and are not exposed outside the cluster. Exploitation would therefore require an attacker to first gain privileged access within the cluster. Furthermore, the containers are hardened and do not permit arbitrary code execution, which significantly mitigates the potential impact. Given these protections and the inherent isolation provided by containers, the overall risk and impact of this vulnerability are considered low.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.7.16⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.6.41⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact

Revision History

DateRevision
08/12/2025Status changed from Open to Ongoing
08/12/2025Official summary added
07/18/2025Advisory assigned with HIGH severity
05/21/2025Advisory severity revised to UNKNOWN from