Improper Link Resolution and Path Traversal in tar-fs by Mafintosh
CVE-2024-12905

7.5HIGH

Key Information:

Status
Vendor: CVE Published:; 27 March 2025

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The tar-fs package contains vulnerabilities that allow for improper link resolution before file access and improper limitations on pathnames during file extraction. By exploiting these flaws, an attacker can craft a malicious tar file, leading to unauthorized file writes or overwrites outside the intended extraction directory. This security issue specifically affects versions of the tar-fs package prior to 1.16.4, 2.1.2, and 3.0.8. Immediate updates to the latest versions are recommended to mitigate potential risks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-12905-PoC
Created by theMcSam

References

https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a...

patch

https://www.seal.security/blog/a-link-to-the-past-uncover...

technical-description

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Apr 25, 2025
👾
Exploit known to exist
Apr 25, 2025
Vulnerability published
Mar 27, 2025
Vulnerability Reserved
Dec 23, 2024

Credit

@bnbdr