VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-sr61-u29y-k3az

Essentials
Severities (20)
References (19)
Severity details (17)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-sr61-u29y-k3az
Aliases	CVE-2024-12905 GHSA-pq67-2wwv-3xjx
Summary	An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.
Status	Published
Exploitability	2.0
Weighted Severity	8.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-59	Improper Link Resolution Before File Access ('Link Following')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12905.json
epss	0.00885	https://api.first.org/data/v1/epss?cve=CVE-2024-12905
epss	0.00885	https://api.first.org/data/v1/epss?cve=CVE-2024-12905
epss	0.00885	https://api.first.org/data/v1/epss?cve=CVE-2024-12905
cvssv3.1	7.5	https://arxiv.org/abs/2506.04962
generic_textual	HIGH	https://arxiv.org/abs/2506.04962
cvssv3.1	7.5	https://arxiv.org/pdf/2506.04962
generic_textual	HIGH	https://arxiv.org/pdf/2506.04962
cvssv3.1	7.5	https://github.com/mafintosh/tar-fs
generic_textual	HIGH	https://github.com/mafintosh/tar-fs
cvssv3.1	7.5	https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed
generic_textual	HIGH	https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed
ssvc	Track	https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed
cvssv3.1	7.5	https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html
generic_textual	HIGH	https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2024-12905
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-12905
cvssv3.1	7.5	https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs
generic_textual	HIGH	https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs
ssvc	Track	https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12905.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-12905
		https://arxiv.org/abs/2506.04962
		https://arxiv.org/pdf/2506.04962
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12905
		https://github.com/mafintosh/tar-fs
		https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html
		https://nvd.nist.gov/vuln/detail/CVE-2024-12905
1101501		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1101501
2355460		https://bugzilla.redhat.com/show_bug.cgi?id=2355460
a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed		https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed
a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs		https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs
CVE-2024-12905	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/linux/local/52268.py
GHSA-pq67-2wwv-3xjx		https://github.com/advisories/GHSA-pq67-2wwv-3xjx
RHSA-2025:3932		https://access.redhat.com/errata/RHSA-2025:3932
RHSA-2025:7626		https://access.redhat.com/errata/RHSA-2025:7626
RHSA-2025:8244		https://access.redhat.com/errata/RHSA-2025:8244
RHSA-2025:8540		https://access.redhat.com/errata/RHSA-2025:8540
USN-8367-1		https://usn.ubuntu.com/8367-1/

Data source	Exploit-DB
Date added	April 22, 2025
Description	tar-fs 3.0.0 - Arbitrary File Write/Overwrite
Ransomware campaign use	Unknown
Source publication date	April 22, 2025
Exploit type	local
Platform	linux
Source update date	April 22, 2025

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-12905.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://arxiv.org/abs/2506.04962

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://arxiv.org/pdf/2506.04962

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/mafintosh/tar-fs

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-27T18:21:53Z/ Found at https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://lists.debian.org/debian-lts-announce/2025/06/msg00012.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-12905

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-27T18:21:53Z/ Found at https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs

Exploit Prediction Scoring System (EPSS)

Percentile	0.75875
EPSS Score	0.00885
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-10T18:29:43.671926+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2024/12xxx/CVE-2024-12905.json	38.6.0