CVE-2024-12905
published 2025-03-27CVE-2024-12905: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This…
PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
2.19%
80.2th percentile
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | node-tar-fs | < node-tar-fs 2.1.3-0+deb12u1 (bookworm) | node-tar-fs 2.1.3-0+deb12u1 (bookworm) |
| msrc | cbl2_reaper_3.1.1-18_on_cbl_mariner_2.0 | — | — |
| tar-fs_project | tar-fs | >= 0 < 1.16.4 | 1.16.4 |
| tar-fs_project | tar-fs | >= 2.0.0 < 2.1.2 | 2.1.2 |
| tar-fs_project | tar-fs | >= 3.0.0 < 3.0.7 | 3.0.7 |
| ubuntu | node-tar-fs | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
ghsa·2025-03-27
CVE-2024-12905 [HIGH] CWE-22 tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.
### PoC
```javascript
// Create a writable stream to extract the tar content
const extractStream = tarfs.extract('/', {
// We can ignore the file type checks to allow the extraction of the malicious file
ignore: (name)
OSV
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
osv·2025-03-27
CVE-2024-12905 [HIGH] tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.
### PoC
```javascript
// Create a writable stream to extract the tar content
const extractStream = tarfs.extract('/', {
// We can ignore the file type checks to allow the extraction of the malicious file
ignore: (name)
OSV
CVE-2024-12905: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")
osv·2025-03-27·CVSS 7.5
CVE-2024-12905 [HIGH] CVE-2024-12905: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Ubuntu
tar-fs vulnerabilities
vendor_ubuntu·2026-06-02·CVSS 7.5
CVE-2025-59343 [HIGH] tar-fs vulnerabilities
Title: tar-fs vulnerabilities
Summary: Several security issues were fixed in tar-fs.
It was discovered that tar-fs did not properly limit paths when
extracting crafted tar files. An attacker could possibly use this
issue to write or overwrite files outside the intended extraction
directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2024-12905)
It was discovered that tar-fs did not properly validate extraction
paths for certain crafted tar archives. An attacker could possibly
use this issue to write files outside the intended extraction
directory. This issue only affected Ubuntu 22.04 LTS and Ubuntu
24.04 LTS. (CVE-2025-48387)
It was discovered that tar-fs had a symlink validation bypass when
extracting crafted tar files. An attacker could possibly use this
is
Red Hat
tar-fs: link following and path traversal via maliciously crafted tar file
vendor_redhat·2025-03-27·CVSS 7.5
CVE-2024-12905 [HIGH] CWE-59 tar-fs: link following and path traversal via maliciously crafted tar file
tar-fs: link following and path traversal via maliciously crafted tar file
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
A flaw was found in the tar-fs package for Node.js. In affected versions, unauthorized file writes or overwrites outside the intended extraction directory can occur when extracting a maliciously crafted tar file. The issue is associa
Microsoft
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a malici
vendor_msrc·2025-03-11·CVSS 7.5
CVE-2024-12905 [HIGH] CWE-59 An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a malici
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure v
Debian
CVE-2024-12905: node-tar-fs - An Improper Link Resolution Before File Access ("Link Following") and Improper L...
vendor_debian·2024·CVSS 7.5
CVE-2024-12905 [HIGH] CVE-2024-12905: node-tar-fs - An Improper Link Resolution Before File Access ("Link Following") and Improper L...
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Scope: local
bookworm: resolved (fixed in 2.1.3-0+deb12u1)
bullseye: resolved (fixed in 2.1.3-0+deb11u1)
forky: resolved (fixed in 3.0.8+~cs2.0.4-1)
sid: resolved (fixed in 3.0.8+~cs2.0.4-1)
trixie: resolved (fixed in 3.0.8+~cs2.0.4-1)
No detection rules found.
arXiv
PoCGen: Generating Proof-of-Concept Exploits for Vulnerabilities in Npm Packages
arxiv_fulltext·2025-09-26
PoCGen: Generating Proof-of-Concept Exploits for Vulnerabilities in Npm Packages
[1]PoCGen
600
155
277
221
560
7
553
432
105
77%
11 minutes
7 minutes
2 minutes
5 minutes
17750
61234
8022
20701
57111
222675
0.02
0.008
0.07
41%
89%
84%
34%
92%
404
277
39
[1] #1
darkgreenrgb0.1,0.6,0.0
fontsize= ,
linenos,
numbersep=5pt,
frame=lines,
breaklines=true,
escapeinside=@@
: Generating Proof-of-Concept Exploits for Vulnerabilities in Npm Packages
Deniz Simsek
[email protected]
University of Stuttgart
Germany
Aryaz Eghbali
[email protected]
University of Stuttgart
Germany
Michael Pradel
[email protected]
CISPA Helmholtz Center for Information Security
Germany
fontsize=
## Abstract
Security vulnerabilities in software packages are a significant concern for developers and users alike.
Patching these vulnerabilities in a ti
arXiv
Security Vulnerabilities in Software Supply Chain for Autonomous Vehicles
arxiv_fulltext·2025-09-21
Security Vulnerabilities in Software Supply Chain for Autonomous Vehicles
Security Vulnerabilities in Software Supply Chain for Autonomous Vehicles
Md Wasiul Haque
Department of Civil, Construction and Environmental Engineering, University of Alabama
Tuscaloosa
AL
USA
[email protected]
Md Erfan
Department of Computer Science, University of Alabama
Tuscaloosa
AL
USA
[email protected]
Sagar Dasgupta
Department of Civil, Construction and Environmental Engineering, University of Alabama
Tuscaloosa
AL
USA
[email protected]
Md Rayhanur Rahman
Department of Computer Science, University of Alabama
Tuscaloosa
AL
USA
[email protected]
Mizanur Rahman
Department of Civil, Construction and Environmental Engineering, University of Alabama
Tuscaloosa
AL
USA
[email protected]
Haque et al.
## Abstract
The interest in autonomous vehicles (AVs) for critical missions, including transpo
Bugzilla
CVE-2024-12905 tar-fs: link following and path traversal via maliciously crafted tar file
bugzilla·2025-03-27·CVSS 7.5
CVE-2024-12905 [HIGH] CVE-2024-12905 tar-fs: link following and path traversal via maliciously crafted tar file
CVE-2024-12905 tar-fs: link following and path traversal via maliciously crafted tar file
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Discussion:
This issue has been addressed in the following products:
Red Hat OpenShift Dev Spaces 3 Containers
Via RHSA-2025:3932 https://access.redhat.com/errata/RHSA-2025:3932
---
This issue has been addressed
2025-03-27
Published