{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-12905", "assignerOrgId": "22e2d327-25fe-45d7-9f0c-dcd23b7108df", "state": "PUBLISHED", "assignerShortName": "seal", "dateReserved": "2024-12-23T13:53:01.494Z", "datePublished": "2025-03-27T16:25:34.410Z", "dateUpdated": "2025-11-03T19:29:11.810Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected", "packageName": "tar-fs", "programFiles": ["index.js"], "repo": "https://github.com/mafintosh/tar-fs", "versions": [{"changes": [{"at": "1.16.4", "status": "unaffected"}], "lessThan": "1.16.4", "status": "affected", "version": "0.0.0", "versionType": "semver"}, {"changes": [{"at": "2.1.2", "status": "unaffected"}], "lessThan": "2.1.2", "status": "affected", "version": "2.0.0", "versionType": "semver"}, {"changes": [{"at": "3.0.8", "status": "unaffected"}], "lessThan": "3.0.8", "status": "affected", "version": "3.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "@bnbdr"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An <strong>Improper Link Resolution Before File Access (\"Link Following\")</strong> and <strong>Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\")</strong>. This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with <code>index.js</code> in the <code>tar-fs</code> package.<p></p><p>This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.</p>"}], "value": "An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\n\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8."}], "impacts": [{"capecId": "CAPEC-132", "descriptions": [{"lang": "en", "value": "CAPEC-132 Symlink Attack"}]}, {"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-59", "description": "CWE-59 Improper Link Resolution Before File Access ('Link Following')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "22e2d327-25fe-45d7-9f0c-dcd23b7108df", "shortName": "seal", "dateUpdated": "2025-04-20T15:42:44.814Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed"}, {"tags": ["technical-description"], "url": "https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-27T18:21:53.061002Z", "id": "CVE-2024-12905", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T18:25:53.445Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:29:11.810Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T19:29:11.810Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-12905", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-27T18:21:53.061002Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-27T18:24:06.268Z"}}], "cna": {"source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "@bnbdr"}], "impacts": [{"capecId": "CAPEC-132", "descriptions": [{"lang": "en", "value": "CAPEC-132 Symlink Attack"}]}, {"capecId": "CAPEC-126", "descriptions": [{"lang": "en", "value": "CAPEC-126 Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/mafintosh/tar-fs", "versions": [{"status": "affected", "changes": [{"at": "1.16.4", "status": "unaffected"}], "version": "0.0.0", "lessThan": "1.16.4", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "2.1.2", "status": "unaffected"}], "version": "2.0.0", "lessThan": "2.1.2", "versionType": "semver"}, {"status": "affected", "changes": [{"at": "3.0.8", "status": "unaffected"}], "version": "3.0.0", "lessThan": "3.0.8", "versionType": "semver"}], "packageName": "tar-fs", "programFiles": ["index.js"], "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed", "tags": ["patch"]}, {"url": "https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs", "tags": ["technical-description"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\n\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.", "supportingMedia": [{"type": "text/html", "value": "An <strong>Improper Link Resolution Before File Access (\"Link Following\")</strong> and <strong>Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\")</strong>. This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with <code>index.js</code> in the <code>tar-fs</code> package.<p></p><p>This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-59", "description": "CWE-59 Improper Link Resolution Before File Access ('Link Following')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "22e2d327-25fe-45d7-9f0c-dcd23b7108df", "shortName": "seal", "dateUpdated": "2025-04-20T15:42:44.814Z"}}}, "cveMetadata": {"cveId": "CVE-2024-12905", "state": "PUBLISHED", "dateUpdated": "2025-11-03T19:29:11.810Z", "dateReserved": "2024-12-23T13:53:01.494Z", "assignerOrgId": "22e2d327-25fe-45d7-9f0c-dcd23b7108df", "datePublished": "2025-03-27T16:25:34.410Z", "assignerShortName": "seal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\n\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8."}, {"lang": "es", "value": "Resoluci\u00f3n incorrecta de enlaces antes del acceso a archivos (\"Link Following\") y limitaci\u00f3n incorrecta de una ruta a un directorio restringido (\"Path Traversal\"). Esta vulnerabilidad se produce al extraer un archivo tar manipulado con fines maliciosos, lo que puede provocar escrituras o sobrescrituras no autorizadas de archivos fuera del directorio de extracci\u00f3n previsto. El problema est\u00e1 asociado con index.js en el paquete tar-fs. Este problema afecta a tar-fs: desde la versi\u00f3n 0.0.0 hasta la 1.16.4, desde la versi\u00f3n 2.0.0 hasta la 2.1.2, desde la versi\u00f3n 3.0.0 hasta la 3.0.8."}], "id": "CVE-2024-12905", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "22e2d327-25fe-45d7-9f0c-dcd23b7108df", "type": "Secondary"}]}, "published": "2025-03-27T17:15:53.250", "references": [{"source": "22e2d327-25fe-45d7-9f0c-dcd23b7108df", "url": "https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed"}, {"source": "22e2d327-25fe-45d7-9f0c-dcd23b7108df", "url": "https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html"}], "sourceIdentifier": "22e2d327-25fe-45d7-9f0c-dcd23b7108df", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-59"}], "source": "22e2d327-25fe-45d7-9f0c-dcd23b7108df", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3932", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/pluginregistry-rhel9:3.20-6", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-04-16T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/code-rhel9:3.21-5", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/configbump-rhel9:3.21-5", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/dashboard-rhel9:3.21-12", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/devspaces-operator-bundle:3.21-25", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/devspaces-rhel9-operator:3.21-6", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/imagepuller-rhel9:3.21-2", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/machineexec-rhel9:3.21-4", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/pluginregistry-rhel9:3.21-7", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/server-rhel9:3.21-11", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces-tech-preview/idea-rhel9:3.21-1", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces-tech-preview/jetbrains-ide-rhel9:3.21-3", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/traefik-rhel9:3.21-1", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/udi-base-rhel9:3.21-2", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:8244", "cpe": "cpe:/a:redhat:openshift_devspaces:3::el9", "package": "devspaces/udi-rhel9:3.21-6", "product_name": "Red Hat OpenShift Dev Spaces 3 Containers", "release_date": "2025-05-28T00:00:00Z"}, {"advisory": "RHSA-2025:7626", "cpe": "cpe:/a:redhat:rhdh:1.6::el9", "package": "registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:b6bf7ded5e146f60141840bb2e42e72125c61af0f3d3c3fbf48b35bc670675fe", "product_name": "Red Hat Developer Hub 1.6", "release_date": "2025-05-14T00:00:00Z"}, {"advisory": "RHSA-2025:8540", "cpe": "cpe:/a:redhat:rhdh:1.5::el9", "package": "registry.redhat.io/rhdh/rhdh-hub-rhel9:sha256:e76a91d43f5fb482b19a42bf2cfc30e183b1331f6db600855600b5a917c889b3", "product_name": "RHDH 1.5", "release_date": "2025-06-04T00:00:00Z"}], "bugzilla": {"description": "tar-fs: link following and path traversal via maliciously crafted tar file", "id": "2355460", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2355460"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "status": "verified"}, "cwe": "(CWE-22|CWE-59)", "details": ["An Improper Link Resolution Before File Access (\"Link Following\") and Improper Limitation of a Pathname to a Restricted Directory (\"Path Traversal\"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.\nThis issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.", "A flaw was found in the tar-fs package for Node.js. In affected versions, unauthorized file writes or overwrites outside the intended extraction directory can occur when extracting a maliciously crafted tar file. The issue is associated with index.js in the tar-fs package."], "name": "CVE-2024-12905", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/kibana6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Affected", "package_name": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "tar-fs", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.keycloak-keycloak-parent", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-dashboard-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "odh-operator-container", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-api-server-v2-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-driver-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-launcher-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-persistenceagent-v2-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Not affected", "package_name": "rhoai/odh-ml-pipelines-scheduledworkflow-v2-rhel8", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Not affected", "package_name": "devspaces/code-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/pluginregistry-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:trusted_artifact_signer:1", "fix_state": "Affected", "package_name": "rhtas/rekor-search-ui-rhel9", "product_name": "Red Hat Trusted Artifact Signer"}], "public_date": "2025-03-27T16:25:34Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-12905\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-12905\nhttps://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed"], "statement": "This vulnerability is rated as an important severity because it allows attackers to extract a malicious tar file that can write or overwrite files outside the intended directory. This occurs due to improper handling of link resolution and pathname limitations. The risk is high for systems that automatically extract tar files, as it can lead to data corruption or unauthorized file modifications without user interaction.", "threat_severity": "Important"}

{}