Symlink Attack Affecting tar-fs package, versions <1.16.4>=2.0.0 <2.1.2>=3.0.0 <3.0.7


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-TARFS-9535930
  • published28 Mar 2025
  • disclosed27 Mar 2025
  • creditbnbdr

Introduced: 27 Mar 2025

NewCVE-2024-12905  (opens in a new tab)
CWE-59  (opens in a new tab)

How to fix?

Upgrade tar-fs to version 1.16.4, 2.1.2, 3.0.7 or higher.

Overview

tar-fs is a filesystem bindings for tar-stream.

Affected versions of this package are vulnerable to Symlink Attack via the extraction process of a maliciously crafted tar file. An attacker can overwrite or write unauthorized files outside the intended directory by exploiting the path traversal and link following vulnerabilities.

References

CVSS Base Scores

version 4.0
version 3.1