mirror of
https://github.com/git-ai-project/git-ai.git
synced 2026-04-25 14:25:53 +03:00
[GH-ISSUE #258] Security Fix Required: tar-fs Symlink Validation Bypass (CVE-2025-59343) #95
Closed
opened 2026-03-02 04:11:47 +03:00 by kerem
·
1 comment
No Branch/Tag specified
main
sessions-v2-drop-legacy-wrapper
worktree-windsurf-fixes
fix/windsurf-dirty-type-fix
sessions-v2
johnw/review-fix-tests
johnw/review-attribution-test-guidelines
johnw/review-integration-tests
johnw/review-refactor-api
johnw/review-silent-errors
johnw/review-harden-daemon
dependabot/cargo/cargo-1a59d422c9
johnw/synopsis
codex/windows-daemon-restart-upgrade-fix
dependabot/npm_and_yarn/agent-support/vscode/main/eslint-10.2.1
dependabot/cargo/main/interprocess-2.4.2
dependabot/npm_and_yarn/agent-support/vscode/main/typescript-6.0.3
dependabot/npm_and_yarn/agent-support/vscode/main/vscode/vsce-3.9.1
dependabot/cargo/main/openssl-0.10.78
dependabot/npm_and_yarn/agent-support/vscode/main/typescript-eslint/eslint-plugin-8.58.2
dependabot/cargo/main/ureq-3.3.0
dependabot/npm_and_yarn/agent-support/opencode/main/opencode-ai/plugin-1.14.19
dependabot/npm_and_yarn/agent-support/vscode/main/types/vscode-1.116.0
dependabot/cargo/main/tokio-1.52.1
dependabot/npm_and_yarn/agent-support/opencode/main/typescript-6.0.3
dependabot/cargo/main/uuid-1.23.1
worktree-agent-a97fd8c7
fix/partial-add-commit-attribution
perf/daemon-ingest-scalability
fix/daemon-wrapper-daemon-flakiness
johnw/nix-fix
fix/partial-stage-attribution-carryover
fix/rebase-notes-loss-v2
fix/issue-1025-reset-performance
fix/attribution-carryover-on-partial-commit
stats-bar-untracked
fix/rebase-notes-loss
fix/amend-total-additions-inflation
fix/sibling-heuristic-v2
fix/sibling-git-ai-heuristic
fix/total-additions-reset-inherited-prompts
feat/known-human-notepad-plus-plus
feat/known-human-eclipse
feat/known-human-zed
bump-stats-line-limit
feat/known-human-vim
feat/known-human-sublime-text
feat/known-human-visual-studio
feat/known-human-neovim
feat/known-human-xcode
johnw/review-vscode-extension
worktree-feat+git-version-warning
worktree-issue-211-empty-authorship
johnw/missing-notes
johnw/bash-support
feat/prompt-event-fields
devin/1775438423-filter-mock-ai-metrics
fix/external-rebase-preserves-ai-notes
devin/1775442585-mtime-race-checkpoint-promotion
fix/rebase-attribution-remaining-issues
fix/rebase-attribution-pull-rebase-no-verify-autosquash
fix/am-attribution-patch-headers
codeql-java-kotlin-fix
feat-log-dump-command
fix/allow-checkpoint-saving-when-debug-enabled
fix/async-mode-notes-sync
codex/fix-local-debug-daemon-connect
codex/cursor-explicit-checkpoint-paths
devin/1774989709-sentry-sdk-migration
devin/1775066168-fix-merge-commit-stats
devin/1775066000-disable-auth-feature-flag
feat-test-missing-notes-post-push
feat/ssh-alias-resolution
devin/1774936075-fix-show-prompt-commit-scope
fix/issue-870-preserve-prompts-in-ci-squash
devin/1774931412-amend-no-edit-regression
enable-flush-dev-logs
fix/async-mode-test-default
async-mode-default
fix/install-async-mode-config
feat/prompt-event-metric
perf/streaming-fast-import
claude/track-agent-version-WEWmR
hunk-opt
perf/checkpoint-2x-speedup
feat/sharded-notes-refs
remove/git-hooks-hard-cutover
perf/rebase-parallel-notes-and-file-reads
codex/windows-readonly-wrapper-fast-path
fix/stale-daemon-recovery
dev/simulate-authorship
devin/1774410513-cloud-default-ai-attribution
codex/fix-wrapper-default-hooks-forwarding
codex/daemon-phase1
codex/metrics-db-reliability-v2
codex/checkpoint-stress-benchmarks
codex/hook-telemetry-followups
johnw/fix-371
devin/1772084830-perf-batch-git-calls
devin/1772226661-fix-windows-paths-all-agents
codex/pathspec-benchmark-fastpath-fixes
codex/graphite-attribution-suite
codex/cherry-pick-hooks-perf-fix
devin/1771643297-memory-overflow-fixes
devin/1771642821-add-client-metrics-events
devin/1771599590-hooks-rebase-perf
devin/1771642594-memory-overflow-replication
fix/no-write-agent-metrics
fix/makosblade/migrate-initial-attributions
claude/fix-issue-426-buWz9
fix/misc-ci-cd-workflow-patches
feat/large-attr-perf-work
uninstall
feat/prompt-discovery
feat/cursor-tab-hooks
feat/git-diff-engine-experiments
fix/push-rewrite
fix/push
fix/mac-ci
fix/multi-push-signing-bug
wip/stats-delta-2
fix/seconds-waiting
feat/nicer-ci-stats
fix/range-stats-including-other-blames
fix/windows-initial-testing
fix/193
fix/authorship-saved-stats
feat/sentry
fix/bug-git-diff-diverges-on-duplicate-lines
fix/bug-squash
fix/rewrite-performance
fix/cursor-sqlite-prompt-race
fix/commit-single
fix/retain-all-prompts-in-authorship
feat/mockai-pathspecs
fix/time-on-initial
feat/dmp-rewrite-ops
feat/ignore-prev-ai-blame-for-perf
fix/ai-blame-file-paths-rel
fix/build-matrix
docs/update-enterprise-installation-opts
feat/agent_fmt1_preset
docs-support
fix/bare-repo-stats
fix/sync-authorship
feat/distributed-authorship
fix/pre-commit-performance2
feat/test-refactor
fix/commit-performance
feat/pop-stash-apply
feat/enterprise-allowlist
fix/conflicts-skipped
fix/merge-squash-new-method
fix/merge-squash
feat/post-commit-stats
feat/git-notes-for-authorship
fix/ai-blame-rename
fix/empty-repo
fix/unstaged-in-log
feat/git-notes-namespace
feat/local-rewrites-authorship
feat/handle-git-alias
feat/faster-checkpoints-slimmer-storage
feat/dev-env-setup
feat/cursor-hooks-auto-install
fix/ai-blame
fix/blame-issues
fix/perf
feat/cursor-preset
test
fix/pull-unplanned
fix/attribution-above-fix
feat/count-total-lines-per-prompt
feat/new-authorship-log-format
fix/windows-ci
feat/claude-cursor-presets
feat/git-compat
feat/track-squash-rebase
save-prompts
fix-git-push-rewrite
fix-linux-release
arm-linux-support
git-ai-stats-command
fix-new-files-not-getting-authorship
testing123
example123
fix/default-ref-upload
proxy
feat/proxy
fix/release-script-testing
fix/subdir-repo-not-found
cursor-extension
feat/demo-pr-comments
tests/in-ci
feat/test-suite-
fix-init
v1.3.5-next-8b86fcf
v1.3.4
v1.3.3
v1.3.2
v1.3.1
v1.3.0
v1.3.0-next-ba657b6
v1.3.0-next-a1321a5
v1.3.0-next-bacf066
v1.3.0-next-380a1f8
v1.2.8
v1.2.7
v1.2.7-next-e025db4
v1.2.7-next-f211688
v1.2.7-next-d2c85a4
v1.2.6
v1.2.5
v1.2.4
v1.2.4-next-46cbbb1
v1.2.4-next-051dfb9
v1.2.3
v1.2.2
v1.2.1
v1.1.23
v1.1.22
v1.1.21
v1.1.21-next-10b781d
v1.1.20
v1.1.20-next-2a8c946
v1.1.20-next-78623c6
v1.1.19
v1.1.18
v1.1.17
v1.1.16
v1.1.15
v1.1.14
v1.1.13
v1.1.12
v1.1.11
v1.1.11-next-81a4693
v1.1.10
v1.1.9
v1.1.8
v1.1.7
v1.1.7-next-7130b7a
v1.1.6
v1.1.6-next-b4b5f72
v1.1.6-next-3caf774
v1.1.5
v1.1.5-next-2d722eb
v1.1.4
v1.1.3
v1.1.2
v1.1.1-next-6ad2609
v1.1.1
v1.1.1-next-2772a32
v1.1.1-next-339d3a7
v1.0.42
v1.0.41
v1.0.40
v1.0.40-next-8d61135
v1.0.40-next-e763fe3
v1.0.39
v1.0.39-next-024d7cc
v1.0.38
v1.0.38-next-6927f27
v1.0.38-next-9863bf9
v1.0.38-next-ad241de
v1.0.37
v1.0.37-next-55ecea6
v1.0.36
v1.0.36-next-cec0576
v1.0.36-next-8b2936f
v1.0.35
v1.0.35-next-46ac366
v1.0.34
v1.0.34-next-9a90ccd
v1.0.33
v1.0.32
v1.0.32-next-b12d980
v1.0.31
v1.0.30
v1.0.30-next-29e16e1
v1.0.29
v1.0.29-next-93e7b75
v1.0.29-next-c7b2509
v1.0.29-next-7de1eb6
v1.0.29-next-c22b5ba
v1.0.28-next-2ef1b24
v1.0.28
v1.0.27
v1.0.26
v1.0.26-next-7b539aa
v1.0.26-next-3b147bf
v1.0.26-next-fca1a3c
v1.0.25
v1.0.24
v1.0.24-next-df615a7
v1.0.23
v1.0.23-next-5b6a63c
v1.0.23-next-7236db5
v1.0.23-next-96e7686
v1.0.23-next-2c08a4e
v1.0.22-next-b27457a
v1.0.22
v1.0.22-next-d75088f
v1.0.22-next-28c081b
v1.0.22-next-c39b714
v1.0.21
v1.0.21-next-06f6e8c
v1.0.20
v1.0.19
v1.0.18
v1.0.17
v1.0.16
v1.0.15
v1.0.14
v1.0.13
v1.0.12
v1.0.11
v1.0.11-prerelease
v1.0.10
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v0.2.7
v0.2.6
v0.2.5
v0.2.4
v0.2.3
v0.2.2
v0.2.0
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
Labels
No labels
agent-support
agent-support
bug
documentation
enhancement
good first issue
help wanted
pull-request
question
windows
working-on
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".
No due date set.
Dependencies
No dependencies set.
Reference
starred/git-ai#95
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @alexanderGalushka on GitHub (Dec 3, 2025).
Original GitHub issue: https://github.com/git-ai-project/git-ai/issues/258
Description:
A high-severity vulnerability exists in tar-fs where symlink validation can be bypassed. This may allow an attacker to write files outside the intended extraction directory, leading to possible system compromise depending on extraction paths.
CVE:
CVE-2025-59343
Severity:
HIGH
Installed Version:
2.1.3
Patched Versions:
3.1.1, 2.1.4, 1.16.6
Required Action:
Upgrade to tar-fs >= 2.1.4 (or higher).
Verify any extraction paths to ensure no unsafe writes occur.
Add tests to confirm unsafe symlink extraction is blocked.
@svarlamov commented on GitHub (Dec 4, 2025):
Thanks for the report, Alexander! Fix came out in the latest release. Please run
git-ai upgradeto get it