{"id":"CVE-2024-12905","details":"An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\n\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.","aliases":["GHSA-pq67-2wwv-3xjx"],"modified":"2026-05-18T05:56:55.231669395Z","published":"2025-03-27T16:25:34.410Z","related":["CGA-mhmx-v3j2-76m6"],"database_specific":{"cna_assigner":"seal","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12905.json","cwe_ids":["CWE-22","CWE-59"]},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html"},{"type":"WEB","url":"https://registry.npmjs.org"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12905.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12905"},{"type":"FIX","url":"https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed"},{"type":"PACKAGE","url":"https://github.com/mafintosh/tar-fs"},{"type":"ARTICLE","url":"https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mafintosh/tar-fs","events":[{"introduced":"6d66143dc5e40480dd6135a4453f6da26a5602e0"},{"fixed":"e4a7a401e80267247b8e9e39d8e5ba82c4fe2f7b"}]}],"versions":["v3.0.7","v3.0.6","v3.0.5","v3.0.4","v3.0.3","v3.0.2","v3.0.1","v3.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-12905.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}