{"id":"CVE-2024-12905","details":"An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\n\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.","aliases":["GHSA-pq67-2wwv-3xjx"],"modified":"2026-03-17T07:10:29.014320Z","published":"2025-03-27T17:15:53.250Z","related":["CGA-mhmx-v3j2-76m6","MGASA-2025-0194"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html"},{"type":"FIX","url":"https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed"},{"type":"ARTICLE","url":"https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mafintosh/tar-fs","events":[{"introduced":"0"},{"fixed":"ff6510d7ba63b6ee200442b80f4326f369e7d4bd"},{"introduced":"0f54a78bcc8735c4257177fd004c2f9e55c588bb"},{"fixed":"d97731b0e1b8a244ab859784b514cfcf5585ad3d"},{"introduced":"6d66143dc5e40480dd6135a4453f6da26a5602e0"},{"fixed":"e4a7a401e80267247b8e9e39d8e5ba82c4fe2f7b"},{"fixed":"a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed"}],"database_specific":{"versions":[{"introduced":"0.0.0"},{"fixed":"1.16.4"},{"introduced":"2.0.0"},{"fixed":"2.1.2"},{"introduced":"3.0.0"},{"fixed":"3.0.8"}]}}],"versions":["v2.0.0","v2.0.1","v2.1.0","v2.1.1","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v3.0.7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-12905.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}