CVE-2024-12905

CVE-2024-12905 is an Improper Link Resolution Before File Access (Link Following) and Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability, mapped to CWE-22 and CWE-59. It affects the tar-fs npm package, specifically in index.js, across versions from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, and from 3.0.0 before 3.0.8. The issue arises when extracting a maliciously crafted tar file, enabling unauthorized file writes or overwrites outside the intended extraction directory. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and was published on 2025-03-27.

An attacker can exploit this vulnerability remotely with no privileges or user interaction required by supplying a malicious tar file to an application using a vulnerable version of tar-fs for extraction. Successful exploitation allows the attacker to write or overwrite arbitrary files on the target system outside the designated extraction directory, potentially leading to privilege escalation, data corruption, or further compromise depending on the write location and application context.

Advisories recommend updating to patched versions of tar-fs: 1.16.4 or later for the 1.x series, 2.1.2 or later for the 2.x series, and 3.0.8 or later for the 3.x series. A fixing commit is available at https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed. Further details on the vulnerability and discovery are provided in the Seal Security blog at https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs, and Debian LTS users should refer to the announcement at https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html for package-specific mitigations.