High severity7.5OSV Advisory· Published Mar 27, 2025· Updated Apr 15, 2026
CVE-2024-12905
CVE-2024-12905
Description
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tar-fsnpm | < 1.16.4 | 1.16.4 |
tar-fsnpm | >= 2.0.0, < 2.1.2 | 2.1.2 |
tar-fsnpm | >= 3.0.0, < 3.0.7 | 3.0.7 |
Affected products
21- osv-coords20 versionspkg:apk/chainguard/code-serverpkg:apk/chainguard/code-server-compatpkg:apk/chainguard/kibana-7pkg:apk/chainguard/kibana-7-bitnamipkg:apk/chainguard/kibana-8pkg:apk/chainguard/kibana-8-bitnamipkg:apk/chainguard/kibana-8-iamguardedpkg:apk/chainguard/sqlpadpkg:apk/chainguard/sqlpad-compatpkg:apk/chainguard/tileserver-glpkg:apk/chainguard/tileserver-gl-compatpkg:apk/chainguard/tileserver-gl-fipspkg:apk/chainguard/tileserver-gl-fips-compatpkg:apk/wolfi/code-serverpkg:apk/wolfi/code-server-compatpkg:apk/wolfi/sqlpadpkg:apk/wolfi/sqlpad-compatpkg:apk/wolfi/tileserver-glpkg:apk/wolfi/tileserver-gl-compatpkg:npm/tar-fs
< 4.105.1-r1+ 19 more
- (no CPE)range: < 4.105.1-r1
- (no CPE)range: < 4.105.1-r1
- (no CPE)range: < 7.17.28-r41
- (no CPE)range: < 7.17.28-r41
- (no CPE)range: < 8.17.4-r41
- (no CPE)range: < 8.17.4-r41
- (no CPE)range: < 8.17.4-r41
- (no CPE)range: < 7.5.3-r1
- (no CPE)range: < 7.5.3-r1
- (no CPE)range: < 5.2.0-r1
- (no CPE)range: < 5.2.0-r1
- (no CPE)range: < 5.2.0-r1
- (no CPE)range: < 5.2.0-r1
- (no CPE)range: < 4.105.1-r1
- (no CPE)range: < 4.105.1-r1
- (no CPE)range: < 7.5.3-r1
- (no CPE)range: < 7.5.3-r1
- (no CPE)range: < 5.2.0-r1
- (no CPE)range: < 5.2.0-r1
- (no CPE)range: < 1.16.4
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-pq67-2wwv-3xjxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-12905ghsaADVISORY
- arxiv.org/abs/2506.04962ghsaWEB
- arxiv.org/pdf/2506.04962ghsaWEB
- github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ednvdWEB
- lists.debian.org/debian-lts-announce/2025/06/msg00012.htmlnvdWEB
- www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fsnvdWEB
News mentions
0No linked articles in our index yet.