CVE-2024-12905

NameCVE-2024-12905
DescriptionAn Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1101501

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-tar-fs (PTS)bullseye2.1.1-2vulnerable
bookworm2.1.1-6vulnerable
sid, trixie3.0.8+~cs2.0.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-tar-fssource(unstable)3.0.8+~cs2.0.4-11101501

Notes

[bookworm] - node-tar-fs <no-dsa> (Minor issue)
[bullseye] - node-tar-fs <postponed> (Minor issue)
https://github.com/advisories/GHSA-pq67-2wwv-3xjx
https://github.com/mafintosh/tar-fs/commit/fd1634e869e7c5f85948e95eabdaa8451a085de5 (v2.1.2)
https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed (v3.0.7)
Search for package or bug name: Reporting problems