[Pkg-javascript-devel] Bug#1101501: node-tar-fs: CVE-2024-12905
Moritz Mühlenhoff
jmm at inutil.org
Fri Mar 28 14:37:38 GMT 2025
Source: node-tar-fs
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-tar-fs.
CVE-2024-12905[0]:
| An Improper Link Resolution Before File Access ("Link Following")
| and Improper Limitation of a Pathname to a Restricted Directory
| ("Path Traversal"). This vulnerability occurs when extracting a
| maliciously crafted tar file, which can result in unauthorized file
| writes or overwrites outside the intended extraction directory. The
| issue is associated with index.js in the tar-fs package. This issue
| affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2,
| from 3.0.0 before 3.0.8.
https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed (v3.0.7)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-12905
https://www.cve.org/CVERecord?id=CVE-2024-12905
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list