An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

🗓️ 11 Apr 2025 07:00:00Reported by MicrosoftType

Tar-fs index.js vulnerability enables link following and path traversal during extraction, risking writes outside the target directory.

Reporter	Title	Published	Views	Family All 68
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM Rapid Infrastructure Automation	28 May 202514:39	–	ibm
IBM Security Bulletins	Security Bulletin: Carbon design system packages	18 Aug 202519:26	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Event Streams	3 Jul 202510:10	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in IBM QRadar Use Case Manager app	2 Dec 202514:51	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM Concert Software.	18 Aug 202504:29	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security QRadar EDR Software contains multiple vulnerabilities	11 Jun 202513:20	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerability in tar-fs package affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.	22 Sep 202513:18	–	ibm
IBM Security Bulletins	Security Bulletin: Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities	2 Mar 202618:52	–	ibm
Information Security Automation	May	23 May 202521:25	–	avleonov
CBLMariner	CVE-2024-12905 affecting package reaper for versions less than 3.1.1-18	11 Apr 202518:10	–	cbl_mariner