CVE-2021-32804 in node-tarinfo

Summary

by MITRE • 08/03/2021

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/15/2025

The vulnerability identified as CVE-2021-32804 affects the npm package "tar" also known as node-tar, which is widely used for handling tar archive files in node.js applications. This issue represents a critical arbitrary file creation and overwrite vulnerability that stems from inadequate sanitization of absolute file paths during the extraction process. The vulnerability specifically impacts versions prior to 6.1.1, 5.0.6, 4.4.14, and 3.3.2 of the package, making it a significant concern for developers who rely on this library for archive handling operations. The flaw occurs when processing tar files containing paths with repeated path root characters, creating a security gap that allows malicious actors to write files outside of intended directories.

The technical root cause of this vulnerability lies in the path sanitization logic implemented within node-tar's extraction mechanism. The package attempts to prevent extraction of absolute paths by converting them to relative paths when the `preservePaths` flag is not explicitly set to true. This is typically achieved by stripping the absolute path root from file paths contained in tar archives, so a path like `/home/user/.bashrc` would become `home/user/.bashrc`. However, the implementation fails to properly handle paths containing multiple consecutive path root characters such as `////home/user/.bashrc`. While the code strips only a single path root character, the resulting path `///home/user/.bashrc` still resolves to an absolute path, bypassing the intended security measure and allowing arbitrary file creation in system directories.

This vulnerability enables attackers to perform arbitrary file creation and overwrite operations by crafting malicious tar archives containing specially formatted absolute paths with repeated root characters. The operational impact is severe as it allows adversaries to potentially overwrite critical system files, inject malicious code into existing files, or create new files in sensitive locations within the filesystem. Attackers can exploit this by placing malicious tar archives in locations where node-tar is used for extraction, such as during package installation, deployment processes, or automated build systems. The vulnerability is particularly dangerous in environments where tar extraction occurs with elevated privileges or in automated systems where user-supplied archives are processed without proper validation.

The security implications extend beyond simple file overwrites to include potential privilege escalation and system compromise scenarios. When combined with other vulnerabilities or in specific deployment contexts, this flaw could enable attackers to modify system configuration files, inject backdoors, or corrupt critical application data. Organizations using node-tar in their build pipelines, deployment systems, or package management workflows face significant risk from this vulnerability. The mitigation strategy involves upgrading to patched versions 3.2.2, 4.4.14, 5.0.6, and 6.1.1 of the tar package, which contain proper path sanitization logic that correctly handles multiple consecutive path root characters. Alternative workarounds include implementing custom `onentry` methods that sanitize `entry.path` values or using `filter` methods to remove entries with absolute paths, providing immediate protection without requiring version upgrades.

This vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-73 (External Control of File Name or Path), representing classic path traversal and file manipulation attack vectors. From an ATT&CK perspective, this issue maps to T1059.007 (Command and Scripting Interpreter: JavaScript) and T1566 (Phishing) as attackers may use this vulnerability in conjunction with social engineering to deliver malicious archives. The vulnerability also relates to T1078 (Valid Accounts) and T1546 (Event Triggered Execution) when attackers leverage compromised accounts to execute malicious extraction operations. Additionally, it demonstrates characteristics of T1499 (Endpoint Denial of Service) and T1036 (Masquerading) in scenarios where attackers attempt to hide malicious file operations within legitimate-looking archive contents. The remediation approach of patching the vulnerable library addresses the core issue while maintaining compatibility with existing systems, though organizations should conduct thorough testing of their applications after applying the updates to ensure no regression issues occur in their archive handling processes.

Responsible

GitHub, Inc.

Reservation

05/12/2021

Disclosure

08/03/2021

Moderation

accepted

CPE

ready

EPSS

0.15014

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!