cbcvebase.
CVE-2024-12905
published 2025-03-27

CVE-2024-12905: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This…

PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EXPLOIT
EPSS
2.19%
80.2th percentile
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiannode-tar-fs< node-tar-fs 2.1.3-0+deb12u1 (bookworm)node-tar-fs 2.1.3-0+deb12u1 (bookworm)
msrccbl2_reaper_3.1.1-18_on_cbl_mariner_2.0
tar-fs_projecttar-fs>= 0 < 1.16.41.16.4
tar-fs_projecttar-fs>= 2.0.0 < 2.1.22.1.2
tar-fs_projecttar-fs>= 3.0.0 < 3.0.73.0.7
ubuntunode-tar-fs

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.