CVE-2024-12905

CVSS 7.5 HIGHEPSS 2.1%CWE-22 CWE-59

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 7.5EPSS 2.1%KEV nãoPoC públicaPatch referenciado

Lifecycle

27 Mar 2025Published on NVD

22 Apr 2025Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected products

tar-fs

public PoCs found — 2

githubgithub.com/theMcSam/CVE-2024-12905-PoC★ 1 exploitdbwww.exploit-db.com/exploits/52268unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs