CVE-2024-12905

CVSS 7.5 HIGHEPSS 2.1%CWE-22 CWE-59

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

tar-fs

public PoCs found — 2

githubgithub.com/theMcSam/CVE-2024-12905-PoC★ 1 exploitdbwww.exploit-db.com/exploits/52268unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs