CVE-2024-12905: tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.62472%
CWE
Published
3/27/2025
Updated
3/28/2025
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tar-fs | npm | < 1.16.4 | 1.16.4 |
| tar-fs | npm | >= 2.0.0, < 2.1.2 | 2.1.2 |
| tar-fs | npm | >= 3.0.0, < 3.0.7 | 3.0.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability manifests in symlink/hardlink processing during extraction. The patch adds critical path validation in onsymlink (via inCwd check) and hardens path resolution in onlink. The vulnerable versions lacked these checks, allowing malicious tar entries to write outside cwd. exports.extract is the main entry point where cwd normalization was insufficient, and its inner functions onsymlink/onlink directly handled untrusted input without proper validation.