CVE-2024-12905

HIGH EPSS 80.1%

Published Mar 27, 20251y ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Mar 27, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

80.1% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-22 Path Traversal Resource Mgmt

CWE-59

References 3

github.com https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed
lists.debian.org https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html
seal.security https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.