AZL-59367

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-59367.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-59367

Upstream

CVE-2024-12905

Published

2025-03-27T17:15:53Z

Modified

2026-04-01T05:19:51.235422Z

Summary

CVE-2024-12905 affecting package reaper for versions less than 3.1.1-18

Details

An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.

This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.8.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-12905

Affected packages

Azure Linux:2 / reaper

Package

Name: reaper
Purl: pkg:rpm/azure-linux/reaper

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.1.1-18

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-59367.json"