CVE-2024-12905

Name of the Vulnerable Software and Affected Versions tar-fs versions 0.0.0 through 1.16.3 tar-fs versions 2.0.0 through 2.1.1 tar-fs versions 3.0.0 through 3.0.7

Description This issue is related to an Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). The vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.

Recommendations For tar-fs versions 0.0.0 through 1.16.3, update to version 1.16.4 or later. For tar-fs versions 2.0.0 through 2.1.1, update to version 2.1.2 or later. For tar-fs versions 3.0.0 through 3.0.7, update to version 3.0.8 or later. As a temporary workaround, consider disabling the extraction of tar files until a patch is available. Restrict access to the index.js file in the tar-fs package to minimize the risk of exploitation.