CVE-2024-12905 – Path Traversal and Link Following

Severity: None2025-12-19

Security Advisories

Abstract

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package. This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

The Oxygen products incorporate the tar-fs package (transitively via dockerode in the Content Fusion config-server) as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v8.0 and olderNoneOxygen Content Fusion 8.1 build build 2025042315

Mitigation

None

Detail

CVE-2024-12905

Severity: High

CVSS Score: 7.5

A flaw in tar-fs allows path traversal and improper link (symlink) resolution when extracting crafted tar archives, enabling writes outside the intended extraction directory. The issue is in index.js and affects tar-fs versions: 0.0.0–1.16.3, 2.0.0–2.1.1, and 3.0.0–3.0.7. The vulnerability is triggered only when tar extraction functionality is invoked on untrusted archives.

Our review indicates that we do not invoke tar-fs at runtime, so the vulnerable code path is not reachable in normal product operation.

Starting with Oxygen Content Fusion version 8.1 build 2025042315 we updated dependencies to include a non-vulnerable tar-fs.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Vibe Authoring with Oxygen AI Positron 8.0
January 21, 2026

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor