High severity7.5NVD Advisory· Published Mar 27, 2025· Updated Apr 15, 2026
CVE-2024-12905
CVE-2024-12905
Description
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tar-fsnpm | < 1.16.4 | 1.16.4 |
tar-fsnpm | >= 2.0.0, < 2.1.2 | 2.1.2 |
tar-fsnpm | >= 3.0.0, < 3.0.7 | 3.0.7 |
Patches
4a1dd7e7c7f4brefactor and throw on bad symlink
2 files changed · +13 −4
index.js+12 −3 modified@@ -120,6 +120,8 @@ exports.extract = function extract (cwd, opts) { if (!cwd) cwd = '.' if (!opts) opts = {} + cwd = path.resolve(cwd) + const xfs = opts.fs || fs const ignore = opts.ignore || opts.filter || noop const mapStream = opts.mapStream || echo @@ -216,18 +218,21 @@ exports.extract = function extract (cwd, opts) { function onsymlink () { if (win32) return next() // skip symlinks on win for now before it can be tested xfs.unlink(name, function () { + const dst = path.resolve(path.dirname(name), header.linkname) + if (!inCwd(dst)) return next(new Error(name + ' is not a valid symlink')) + xfs.symlink(header.linkname, name, stat) }) } function onlink () { if (win32) return next() // skip links on win for now before it can be tested xfs.unlink(name, function () { - const srcpath = path.join(cwd, path.join('/', header.linkname)) + const dst = path.join(cwd, path.join('/', header.linkname)) - xfs.link(srcpath, name, function (err) { + xfs.link(dst, name, function (err) { if (err && err.code === 'EPERM' && opts.hardlinkAsFilesFallback) { - stream = xfs.createReadStream(srcpath) + stream = xfs.createReadStream(dst) return onfile() } @@ -236,6 +241,10 @@ exports.extract = function extract (cwd, opts) { }) } + function inCwd (dst) { + return dst.startsWith(cwd) + } + function onfile () { const ws = xfs.createWriteStream(name) const rs = mapStream(stream, header)
test/index.js+1 −1 modified@@ -311,7 +311,7 @@ test('do not extract invalid tar', function (t) { fs.createReadStream(a) .pipe(tar.extract(out)) .on('error', function (err) { - t.ok(/is not a valid path/i.test(err.message)) + t.ok(/is not a valid symlink/i.test(err.message)) fs.stat(path.join(out, '../bar'), function (err) { t.ok(err) })
ff6510d7ba63d97731b0e1b8e4a7a401e802Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-pq67-2wwv-3xjxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-12905ghsaADVISORY
- arxiv.org/abs/2506.04962ghsaWEB
- arxiv.org/pdf/2506.04962ghsaWEB
- github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ednvdWEB
- lists.debian.org/debian-lts-announce/2025/06/msg00012.htmlnvdWEB
- www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fsnvdWEB
News mentions
0No linked articles in our index yet.