CVE-2024-12905
📋 TL;DR
This vulnerability in tar-fs allows attackers to write files outside the intended extraction directory when processing malicious tar archives. It affects applications using vulnerable versions of tar-fs for archive extraction. The issue combines path traversal with symlink following to bypass directory restrictions.
💻 Affected Systems
- tar-fs npm package
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file writes, potentially leading to remote code execution, data destruction, or privilege escalation.
Likely Case
Unauthorized file overwrites or creation in sensitive directories, potentially modifying configuration files, planting backdoors, or exfiltrating data.
If Mitigated
Limited to the user context running the tar-fs process, with damage contained to accessible directories based on process permissions.
🎯 Exploit Status
Exploitation requires crafting a malicious tar archive with symlinks and path traversal elements. No public exploit code is known, but the vulnerability is well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: tar-fs 1.16.4, 2.1.2, or 3.0.8
Vendor Advisory: https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed
Restart Required: No
Instructions:
1. Update tar-fs dependency in package.json to ^1.16.4, ^2.1.2, or ^3.0.8. 2. Run 'npm update tar-fs' or 'yarn upgrade tar-fs'. 3. Test archive extraction functionality.
🔧 Temporary Workarounds
Validate tar files before extraction
allImplement pre-extraction validation to check for malicious symlinks and path traversal attempts.
Use extraction in isolated container
allRun tar extraction in a sandboxed environment with restricted filesystem access.
🧯 If You Can't Patch
- Disable tar file processing functionality if not essential
- Implement strict input validation and whitelist allowed tar file sources
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list tar-fs' to see installed version. If version falls in affected ranges, system is vulnerable.Check Version:
npm list tar-fs | grep tar-fsVerify Fix Applied:
After updating, verify version is 1.16.4+, 2.1.2+, or 3.0.8+ using 'npm list tar-fs'. Test extraction with known safe archives.📡 Detection & Monitoring
Log Indicators:
- Unexpected file writes outside extraction directory
- Failed file access attempts to restricted paths
- Process crashes during tar extraction
Network Indicators:
- Large or unusual tar file uploads to extraction endpoints
SIEM Query:
Process execution logs showing tar-fs extraction followed by file writes to unexpected locations