tar-fs: improper link resolution and path traversal (CVE-2024-12905) #shorts

Summary

In a recent update to our security briefings, we focus on CVE-2024-12905, a critical vulnerability affecting the tar-fs package primarily used for managing tar file extractions. This vulnerability allows malicious actors to exploit improper validations during file extraction, leading to potential unauthorized file writes or overwrites.

Product details

The issue at hand specifically targets the tar-fs library. Versions affected include 0.0.0 up to but not including 1.16.4, 2.0.0 up to but not including 2.1.2, and 3.0.0 up to but not including 3.0.8. Notably, this vulnerability impacts the index.js component, which plays a crucial role in the package's tar file handling process.

Vulnerability type summary

CVE-2024-12905 is categorized as two major types of vulnerabilities: CWE-59, an Improper Link Resolution Before File Access ('Link Following'), and CWE-22, an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'). Both vulnerabilities can be exploited through carefully crafted tar files leading to potential unauthorized access or alteration of files beyond the intended target directory.

Details of the vulnerability

The vulnerability manifests when maliciously crafted tar files are extracted using vulnerable versions of tar-fs. The improper checks around link resolution and pathname restrictions allow the extraction process to stray outside intended folders, resulting in possible file writes or overwrites. These actions could lead to unauthorized data access or system compromise, posing significant risks especially if sensitive data is involved. Fedora 40 and Fedora 41 have addressed this vulnerability by updating their yarnpkg.

Conclusion

In conclusion, all users relying on the tar-fs package for file extraction are strongly encouraged to update to the latest safe versions of 1.16.4, 2.1.2, or 3.0.8. Given the critical nature of CVE-2024-12905, staying updated minimizes the risk of unauthorized file operations and protects against potential malicious exploitation. Ensuring your systems are regularly patched with the latest security updates is essential in defending against such vulnerabilities.

Watch the full video on YouTube: CVE-2024-12905

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-12905
Description
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Provider
seal
CWE / problem types
CWE-59 Improper Link Resolution Before File Access ('Link Following'),CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Affected Software Versions
None:None:[{'changes': [{'at': '1.16.4', 'status': 'unaffected'}], 'lessThan': '1.16.4', 'status': 'affected', 'version': '0.0.0', 'versionType': 'semver'}, {'changes': [{'at': '2.1.2', 'status': 'unaffected'}], 'lessThan': '2.1.2', 'status': 'affected', 'version': '2.0.0', 'versionType': 'semver'}, {'changes': [{'at': '3.0.8', 'status': 'unaffected'}], 'lessThan': '3.0.8', 'status': 'affected', 'version': '3.0.0', 'versionType': 'semver'}]
Date Published
2025-03-27T16:25:34.410Z
Last Updated
2025-04-20T15:42:44.814Z