CVE-2024-12905
Published: 27 March 2025
Summary
CVE-2024-12905 is a high-severity Path Traversal (CWE-22) vulnerability in Seal (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely identification, reporting, and patching of the tar-fs package to fixed versions that resolve the path traversal and link following flaws.
Prevents exploitation by enforcing validation of tar file paths and links to restrict extraction to the intended directory and block traversal sequences.
Mitigates impact of unauthorized file writes by ensuring Node.js processes using tar-fs operate with least privilege, limiting overwrite locations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of applications using the vulnerable tar-fs library by supplying a malicious tar file for extraction (T1190: Exploit Public-Facing Application). The resulting arbitrary file write capability outside the intended directory can be leveraged to achieve privilege escalation depending on the target write location (T1068: Exploitation for Privilege Escalation).
NVD Description
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites…
more
outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Deeper analysisAI
CVE-2024-12905 is an Improper Link Resolution Before File Access (Link Following) and Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability, mapped to CWE-22 and CWE-59. It affects the tar-fs npm package, specifically in index.js, across versions from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, and from 3.0.0 before 3.0.8. The issue arises when extracting a maliciously crafted tar file, enabling unauthorized file writes or overwrites outside the intended extraction directory. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and was published on 2025-03-27.
An attacker can exploit this vulnerability remotely with no privileges or user interaction required by supplying a malicious tar file to an application using a vulnerable version of tar-fs for extraction. Successful exploitation allows the attacker to write or overwrite arbitrary files on the target system outside the designated extraction directory, potentially leading to privilege escalation, data corruption, or further compromise depending on the write location and application context.
Advisories recommend updating to patched versions of tar-fs: 1.16.4 or later for the 1.x series, 2.1.2 or later for the 2.x series, and 3.0.8 or later for the 3.x series. A fixing commit is available at https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed. Further details on the vulnerability and discovery are provided in the Seal Security blog at https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs, and Debian LTS users should refer to the announcement at https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html for package-specific mitigations.
Details
- CWE(s)