CVE-2024-12905
Denial of Service (DoS) vulnerability in tar-fs (npm)
What is CVE-2024-12905 About?
This vulnerability is a Denial of Service (DoS) in OpenSSL, allowing attackers to crash the application by processing a maliciously formatted PKCS12 file. It specifically occurs due to incorrect checking for NULL fields within the PKCS12 structure, leading to a NULL pointer dereference. Exploiting this is moderately easy, requiring the ability to provide untrusted PKCS12 files.
Affected Software
- tar-fs
- >3.0.0, <3.0.7
- >2.0.0, <2.1.2
- <1.16.4
Technical Details
This OpenSSL vulnerability (CVE-2024-0727) is a Denial of Service (DoS) caused by a NULL pointer dereference when processing maliciously formatted PKCS12 files. The PKCS12 specification allows certain fields to be NULL, but OpenSSL's parsing functions (specifically PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes(), and PKCS12_newpass()) do not correctly check for these NULL scenarios. An attacker can craft a PKCS12 file where these fields are NULL, which, when processed by the vulnerable OpenSSL APIs, triggers a NULL pointer dereference, causing the application using OpenSSL to crash and terminate abruptly. This leads to a denial of service for any application that loads PKCS12 files from untrusted sources.
What is the Impact of CVE-2024-12905?
Successful exploitation may allow attackers to crash applications that process PKCS12 files, leading to a denial of service and disrupting system availability.
What is the Exploitability of CVE-2024-12905?
Exploitation of this Denial of Service vulnerability requires the attacker to provide a specially crafted PKCS12 file to an application that uses vulnerable OpenSSL APIs to parse it. The complexity is moderate, as it requires knowledge of the PKCS12 format and how to trigger the NULL pointer dereference. There are no explicit authentication or privilege requirements for the attacker to supply such a file, assuming the application expects to process PKCS12 files from potentially untrusted sources. It can be exploited remotely if the application allows remote submission of PKCS12 files. The primary risk factor is any application that loads PKCS12 files from untrusted origins, such as user uploads or external services, and uses affected OpenSSL versions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| theMcSam | Link | tar-fs file write/overwrite vulnerability |
What are the Available Fixes for CVE-2024-12905?
About the Fix from Resolved Security
This patch validates that symlink and hardlink targets are confined within the intended extraction directory by resolving their destination paths and ensuring they start with the extraction root. This prevents path traversal attacks (such as placing files outside the extraction directory), addressing the vulnerability in CVE-2024-12905 where malicious tar archives could write or link to arbitrary filesystem locations.
Available Upgrade Options
- tar-fs
- <1.16.4 → Upgrade to 1.16.4
- tar-fs
- >2.0.0, <2.1.2 → Upgrade to 2.1.2
- tar-fs
- >3.0.0, <3.0.7 → Upgrade to 3.0.7
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.seal.security/blog/a-link-to-the-past-uncovering-a-new-vulnerability-in-tar-fs
- https://github.com/mafintosh/tar-fs
- https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed
- https://nvd.nist.gov/vuln/detail/CVE-2024-12905
- https://github.com/mafintosh/tar-fs/commit/a1dd7e7c7f4b4a8bd2ab60f513baca573b44e2ed
- https://arxiv.org/pdf/2506.04962
- https://arxiv.org/abs/2506.04962
- https://osv.dev/vulnerability/GHSA-pq67-2wwv-3xjx
What are Similar Vulnerabilities to CVE-2024-12905?
Similar Vulnerabilities: CVE-2023-3817 , CVE-2023-3446 , CVE-2023-3812 , CVE-2023-3792 , CVE-2023-2655
