CVE-2024-12905 (High) detected in tar-fs-2.1.1.tgz

[mend-bolt-for-github]

CVE-2024-12905 - High Severity Vulnerability

Vulnerable Library - tar-fs-2.1.1.tgz

filesystem bindings for tar-stream

Library home page: https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar-fs/package.json

Dependency Hierarchy:

• puppeteer-9.0.0.tgz (Root Library)
  • ❌ tar-fs-2.1.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.
This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

Publish Date: 2025-03-27

URL: CVE-2024-12905

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2025-03-27

Fix Resolution (tar-fs): 2.1.2

Direct dependency fix Resolution (puppeteer): 9.1.0

---

Step up your Open Source Security Game with Mend here