7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-12905

GHSA ID

GHSA-pq67-2wwv-3xjx

EPSS Score

0.62472%

CWE

CWE-22

Published

3/27/2025

Updated

3/28/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-12905

CVE-2024-12905: tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.

This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-12905

GHSA ID

GHSA-pq67-2wwv-3xjx

EPSS Score

0.62472%

CWE

CWE-22

Published

3/27/2025

Updated

3/28/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tar-fs	npm	< 1.16.4	1.16.4
tar-fs	npm	>= 2.0.0, < 2.1.2	2.1.2
tar-fs	npm	>= 3.0.0, < 3.0.7	3.0.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability manifests in symlink/hardlink processing during extraction. The patch adds critical path validation in onsymlink (via inCwd check) and hardens path resolution in onlink. The vulnerable versions lacked these checks, allowing malicious tar entries to write outside cwd. exports.extract is the main entry point where cwd normalization was insufficient, and its inner functions onsymlink/onlink directly handled untrusted input without proper validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n Improp*r Link R*solution ***or* *il* ****ss ("Link *ollowin*") *n* Improp*r Limit*tion o* * P*t*n*m* to * R*stri*t** *ir**tory ("P*t* Tr*v*rs*l"). T*is vuln*r**ility o**urs w**n *xtr**tin* * m*li*iously *r**t** t*r *il*, w*i** **n r*sult in un*ut*

Reasoning

T** vuln*r**ility m*ni**sts in symlink/**r*link pro**ssin* *urin* *xtr**tion. T** p*t** ***s *riti**l p*t* `v*li**tion` in `onsymlink` (vi* in*w* ****k) *n* **r**ns p*t* r*solution in `onlink`. T** vuln*r**l* v*rsions l**k** t**s* ****ks, *llowin* m*

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-12905: tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI