An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8367-1 advisory.

    It was discovered that tar-fs did not properly limit paths when extracting crafted tar files. An attacker     could possibly use this issue to write or overwrite files outside the intended extraction directory. This     issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-12905)

    It was discovered that tar-fs did not properly validate extraction paths for certain crafted tar archives.
    An attacker could possibly use this issue to write files outside the intended extraction directory. This     issue only affected Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2025-48387)

    It was discovered that tar-fs had a symlink validation bypass when extracting crafted tar files. An     attacker could possibly use this issue to write files outside the intended extraction directory.
    (CVE-2025-59343)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-101478 advisory.

  - An Improper Link Resolution Before File Access (Link Following) and Improper Limitation of a Pathname to     a Restricted Directory (Path Traversal). This vulnerability occurs when extracting a maliciously crafted     tar file, which can result in unauthorized file writes or overwrites outside the intended extraction     directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from     0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8. (CVE-2024-12905)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - An Improper Link Resolution Before File Access (Link Following) and Improper Limitation of a Pathname to     a Restricted Directory (Path Traversal). This vulnerability occurs when extracting a maliciously crafted     tar file, which can result in unauthorized file writes or overwrites outside the intended extraction     directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from     0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8. (CVE-2024-12905)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-4214 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-4214-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Adrian Bunk     June 11, 2025                                 https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : node-tar-fs     Version        : 2.1.3-0+deb11u1     CVE ID         : CVE-2024-12905 CVE-2025-48387     Debian Bug     : 1101501

    Path traversal has been fixed in node-tar-fs, a Node.js module that     provides filesystem-like access to tar files.

    CVE-2024-12905

        symlink path traversal

    CVE-2025-48387

        hardlink path traversal

    For Debian 11 bullseye, these problems have been fixed in version     2.1.3-0+deb11u1.

    We recommend that you upgrade your node-tar-fs packages.

    For the detailed security status of node-tar-fs please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/node-tar-fs

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of reaper installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-12905 advisory.

  - An Improper Link Resolution Before File Access (Link Following) and Improper Limitation of a Pathname to     a Restricted Directory (Path Traversal). This vulnerability occurs when extracting a maliciously crafted     tar file, which can result in unauthorized file writes or overwrites outside the intended extraction     directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from     0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8. (CVE-2024-12905)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-8eb387668b advisory.

    Fix CVE-2024-12905.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-f7671643c4 advisory.

    Fix CVE-2024-12905.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
318627	Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : tar-fs vulnerabilities (USN-8367-1)	Nessus	Ubuntu Local Security Checks	high
282639	Atlassian Confluence 7.19.0 < 8.5.10 / 8.6.x < 9.2.5 / 9.3.x < 9.3.1 / 9.4.x < 9.5.1 / 10.0.x < 10.0.2 / 10.1.0 / 10.2.0 (CONFSERVER-101478)	Nessus	CGI abuses	high
246998	Linux Distros Unpatched Vulnerability : CVE-2024-12905	Nessus	Misc.	high
238247	Debian dla-4214 : node-tar-fs - security update	Nessus	Debian Local Security Checks	high
234305	CBL Mariner 2.0 Security Update: reaper (CVE-2024-12905)	Nessus	MarinerOS Local Security Checks	high
233942	Fedora 41 : yarnpkg (2025-8eb387668b)	Nessus	Fedora Local Security Checks	high
233940	Fedora 40 : yarnpkg (2025-f7671643c4)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2024-12905

high

Tenable Plugins

high

high

high

high

high

high

high