{"id":"AZL-59367","summary":"CVE-2024-12905 affecting package reaper for versions less than 3.1.1-18","details":"An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\n\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.","modified":"2026-04-01T05:19:51.235422Z","published":"2025-03-27T17:15:53Z","upstream":["CVE-2024-12905"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12905"}],"affected":[{"package":{"name":"reaper","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/reaper"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.1-18"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-59367.json"}}],"schema_version":"1.7.5"}