CVE-2021-32803 in node-tar
Summary
by MITRE • 08/03/2021
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/15/2025
The CVE-2021-32803 vulnerability affects the npm package "tar" also known as node-tar, which is widely used for handling tar archive files in node.js applications. This vulnerability represents a critical arbitrary file creation and overwrite flaw that stems from inadequate symlink protection mechanisms within the package's extraction logic. The issue impacts versions prior to 6.1.2, 5.0.7, 4.4.15, and 3.2.3, making it a significant concern for developers and security practitioners who rely on this package for archive handling operations.
The technical flaw resides in the directory cache mechanism that node-tar employs to optimize performance by avoiding unnecessary stat calls. When processing tar archives, the package creates directories and caches their paths to prevent redundant filesystem checks. However, this optimization creates a race condition when tar files contain both a directory entry and a symbolic link with identical names. The extraction process first creates the directory and adds it to the cache, then later encounters the symlink that should replace it. Due to the cached directory entry, the mkdir operation is skipped, but the symlink validation check occurs after this point, allowing attackers to bypass the symlink protection entirely.
This vulnerability enables attackers to perform arbitrary file creation and overwrite operations by crafting malicious tar files that exploit the directory cache race condition. The flaw operates through a specific sequence where a directory is created and cached, followed by a symlink replacement that should have been validated but wasn't due to the premature cache insertion. This allows untrusted tar archives to create symbolic links pointing to arbitrary filesystem locations and subsequently extract files into those locations, effectively granting attackers write access to any location accessible to the extracting process.
The operational impact of CVE-2021-32803 is severe as it can be exploited in various attack scenarios including privilege escalation, data corruption, and potential system compromise. Attackers can leverage this vulnerability to overwrite critical system files, inject malicious code into applications, or create backdoor access points. The vulnerability is particularly dangerous in environments where applications extract untrusted tar archives, such as package managers, deployment systems, or any application that processes user-uploaded archives. This aligns with ATT&CK technique T1059.007 for execution through scripts and T1566 for spearphishing with attachments, as malicious tar files could be delivered through these vectors.
Security mitigations for CVE-2021-32803 include immediate upgrading to patched versions 3.2.3, 4.4.15, 5.0.7, or 6.1.2 of the node-tar package. Organizations should also implement additional protective measures such as validating and sanitizing all tar files before extraction, implementing proper access controls for extraction directories, and monitoring for suspicious file creation patterns. The fix addresses the core issue by ensuring that symlink checks occur before directory creation and cache updates, preventing the race condition that enabled the bypass. This vulnerability demonstrates the importance of careful consideration of caching mechanisms in security-sensitive code and aligns with CWE-367, which addresses Time-of-Check to Time-of-Use (TOCTOU) vulnerabilities where the state of a resource changes between validation and usage operations.