cve/2024/CVE-2024-12905.md

### [CVE-2024-12905](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12905)
![](https://img.shields.io/static/v1?label=Product&message=null&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=0.0.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=2.0.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=3.0.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-22%20Improper%20Limitation%20of%20a%20Pathname%20to%20a%20Restricted%20Directory%20('Path%20Traversal')&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-59%20Improper%20Link%20Resolution%20Before%20File%20Access%20('Link%20Following')&color=brightgreen)

### Description

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

### POC

#### Reference
- https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs

#### Github
- https://github.com/ARPSyndicate/cve-scores
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/plzheheplztrying/cve_monitor
- https://github.com/theMcSam/CVE-2024-12905-PoC
- https://github.com/w4zu/Debian_security
- https://github.com/zulloper/cve-poc