CVE-2024-12905: 
JavaScript vulnerability analysis and mitigation

CVE-2024-12905 is a vulnerability in the tar-fs package that combines an Improper Link Resolution Before File Access (Link Following) and Improper Limitation of a Pathname to a Restricted Directory (Path Traversal). The vulnerability was discovered and disclosed on March 27, 2025, affecting tar-fs versions from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, and from 3.0.0 before 3.0.8 (NVD).

The vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is specifically associated with index.js in the tar-fs package. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (Snyk).

When exploited, this vulnerability allows an attacker to overwrite or write unauthorized files outside the intended directory by exploiting the path traversal and link following vulnerabilities. This can lead to significant integrity impacts on the affected system (Snyk).

The recommended mitigation is to upgrade tar-fs to version 1.16.4, 2.1.2, 3.0.7 or higher, depending on your current major version. A fix has been implemented that includes additional validation of symlinks and improved path resolution (GitHub Commit).