Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-12905

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

Published

2025-03-27T17:15:53.250

Last Modified

2025-11-03T20:16:08.077

Status

Awaiting Analysis

Source

22e2d327-25fe-45d7-9f0c-dcd23b7108df

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-22
CWE-59

Affected Vendors & Products

References

https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed (22e2d327-25fe-45d7-9f0c-dcd23b7108df)
https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs (22e2d327-25fe-45d7-9f0c-dcd23b7108df)
https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html (af854a3a-2127-422b-91ae-364da2661108)