CVE-2025-25724
CVE Details
Visit the official vulnerability details page for CVE-2025-25724 to learn more.
Initial Publication
03/05/2025
Last Update
09/21/2025
Third Party Dependency
libarchive
NIST CVE Summary
list_item_verbose in tar/util.c in libarchive through 3.7.7 does not check an strftime return value, which can lead to a denial of service or unspecified other impact via a crafted TAR archive that is read with a verbose value of 2. For example, the 100-byte buffer may not be sufficient for a custom locale.
CVE Severity
Our Official Summary
A vulnerability exists in the list_item_verbose function (located in tar/util.c) of libarchive versions up to 3.7.7, where the return value of strftime() is not properly checked during time formatting. If the formatted date exceeds the 100-byte buffer—particularly when using custom locales with verbose listing level 2—this could lead to a denial of service (DoS) or other unpredictable behavior.
However, the affected container images are subject to strict access controls and are not exposed outside the cluster. Exploitation would therefore require an attacker to first gain privileged access within the cluster. Furthermore, the containers are hardened and do not permit arbitrary code execution, which significantly mitigates the potential impact. Given these protections and the inherent isolation provided by containers, the overall risk and impact of this vulnerability are considered low.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.7.20 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.6.41 | ⚠️ Impacted | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
Revision History
| Date | Revision |
|---|---|
| 08/12/2025 | Status changed from Open to Ongoing |
| 08/12/2025 | Official summary added |
| 07/18/2025 | Advisory assigned with HIGH severity |
| 05/21/2025 | Advisory severity revised to UNKNOWN from |