VYPR
High severity7.5OSV Advisory· Published Mar 27, 2025· Updated Apr 15, 2026

CVE-2024-12905

CVE-2024-12905

Description

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.

This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
tar-fsnpm
< 1.16.41.16.4
tar-fsnpm
>= 2.0.0, < 2.1.22.1.2
tar-fsnpm
>= 3.0.0, < 3.0.73.0.7

Affected products

21

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.