CVE-2024-12905 - Path Traversal & Symlink Abuse in tar-fs Tar Extraction (Explained)
Malicious archives are a classic security risk. With CVE-2024-12905, a serious problem hit the tar-fs npm package across several versions. This bug allows attackers to write or overwrite files *anywhere* on your filesystem — just by getting you to extract a malicious tar file.
Below, we break down, in plain language, how this vulnerability works, why it’s dangerous, and what code snippets and checks reveal about this critical bug.
What is CVE-2024-12905?
This vulnerability is a double trouble:
1. Improper Link Resolution Before File Access ("Link Following", CWE-59): The code follows symlinks inside tar archives without checking where they point to.
2. Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal", CWE-22): The code lets file paths step outside the intended extraction directory using ../ in file names.
If you extract a malicious tar file with a vulnerable version of tar-fs, the archive can
- Overwrite files outside the target directory (like /etc/passwd, ~/.ssh/authorized_keys, or project files)
>= 3.., < 3..8
A security update exists, so upgrade to at least 1.16.4, 2.1.2, or 3..8 (depending on your branch).
Official tar-fs repo security advisory
How does the exploit work?
Both symlinks and tricky paths can fool simplistic extraction logic. Imagine an attacker creates a tar file including:
- Files with paths like ../../some/secret.txt
- A symlink like danger_link pointing to /etc/passwd, plus a file which writes through danger_link
If your code extracts that archive using an unsafe tar-fs, the attacker's files end up *outside* the directory you expected.
Take a look at the table
| Tar Path | Type | Data/ Link Target |
|------------------------------- |----------|----------------------|
| ../../danger.txt | File | Attacker's payload |
| danger_link | Symlink | /etc/passwd |
| through_link | File | Malicious text |
Here’s how a typical vulnerable extraction looks in Node.js
// Vulnerable code using tar-fs < 1.16.4 / 2.1.2 / 3..8
const tar = require('tar-fs')
const fs = require('fs')
fs.createReadStream('archive.tar')
.pipe(tar.extract('./uploads'))
What's wrong with this?
With a malicious tar file, tar-fs will happily
- Extract ../../danger.txt to ../.. (outside ./uploads)
- Follow a symlink inside the archive and write to its real target (for example, /etc/passwd)
Basically, the code doesn’t check if the destination is inside the allowed directory or if the symlink points somewhere safe.
You can craft a dangerous archive with the tar command
# Make a file outside the target directory
echo "hacked" > ../../evil.txt
# Make a symlink to /etc/passwd
ln -s /etc/passwd link_to_passwd
# Create the archive
tar -cvf malicious.tar ../../evil.txt link_to_passwd
If someone extracts this with a vulnerable tar-fs, your evil.txt ends up outside where it should, and writes can go through the symlink to /etc/passwd.
What Did They Fix?
The maintainers patched this by adding canonicalization and strict checks. Now, extraction code refuses to write files outside the target directory and skips evil symlinks.
You can see an example safe path check
// Pseudo-code illustrating secure extraction
const resolvedPath = path.resolve(destinationDir, entryPath)
if (!resolvedPath.startsWith(destinationDir)) {
throw new Error('Path traversal detected')
}
Old versions didn’t properly check this — letting ../../ slip through.
Run file operations with the minimum possible privileges
If you run a file upload or CI pipeline, audit all dependencies handling archives.
Reference Links
- NVD: CVE-2024-12905
- tar-fs GitHub Advisory
- Security Patch Pull Request
- CWE-22: Path Traversal
- CWE-59: Link Following
The Takeaway
Never trust archive files from unknown or untrusted sources, and always keep your dependencies patched. Simple mistakes with path handling and symlink validation can lead to full system compromise.
Timeline
Published on: 03/27/2025 17:15:53 UTC
Last modified on: 03/28/2025 18:11:40 UTC