[VULNERABILITY] Busybox CVE-2025-46394 and CVE-2024-58251

The company I work for uses YACE for our internal monitoring.  Our scans are picking up a couple of busybox vulnerabilities that are fixed in recent versions of busybox.

[CVE-2025-46394](https://www.cve.org/CVERecord?id=CVE-2025-46394)
CNA: MITRE Corporation

In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

[CVE-2024-58251](https://www.cve.org/CVERecord?id=CVE-2024-58251)
CNA: MITRE Corporation

In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.


I could just create a simple MR I guess with a change to the changelog and tag it 0.62.2, but I just want to understand the correct process, unless someone can fix it quickly for us.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[VULNERABILITY] Busybox CVE-2025-46394 and CVE-2024-58251 #1731

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

[VULNERABILITY] Busybox CVE-2025-46394 and CVE-2024-58251 #1731

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions