CVE-2021-37701 in node-tarinfo

Summary

by MITRE • 08/31/2021

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\` and `/` characters as path separators, however `\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 02/15/2025

The vulnerability identified as CVE-2021-37701 affects the npm package "tar" also known as node-tar, which is widely used for handling tar archive operations in node.js applications. This security flaw exists in versions prior to 4.4.16, 5.0.8, and 6.1.7 across different release branches, creating a critical risk for systems that process untrusted tar files. The vulnerability stems from insufficient logic in the package's symlink handling mechanism, specifically when dealing with path separators and directory caching on posix systems. The core issue manifests when tar archives contain both directories and symbolic links with identical names but using different path separators, particularly backslashes on posix systems where backslashes are valid filename characters.

The technical flaw exploits the directory caching mechanism within node-tar that was designed to prevent unnecessary stat calls by maintaining a cache of created directories. This caching logic incorrectly treats backslashes and forward slashes as equivalent path separators, allowing attackers to bypass symlink checks through a carefully crafted sequence of operations. An attacker can first create a directory entry, then replace it with a symbolic link having the same name but using backslashes as path separators. This manipulation causes the internal cache to retain the directory entry while the actual filesystem path becomes a symlink, effectively creating a bypass condition. The vulnerability enables arbitrary file creation and overwrites because the system believes the directory was properly created when it was actually replaced by a symlink pointing to an arbitrary location.

The operational impact of CVE-2021-37701 extends beyond simple file manipulation to encompass full arbitrary code execution capabilities. When an untrusted tar archive is processed, attackers can manipulate the extraction process to write files to any location on the filesystem, including system directories or configuration files. This creates opportunities for privilege escalation, persistence mechanisms, and complete system compromise. The vulnerability is particularly dangerous in environments where tar files are extracted automatically or processed as part of build pipelines, deployment scripts, or automated security scanning tools. The attack surface is further expanded by the fact that similar issues can occur on case-insensitive filesystems, where directory and symlink names that differ only in case can confuse the caching mechanism and result in the same arbitrary file placement behavior.

The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-502 (Deserialization of Untrusted Data) categories, representing both path traversal and code execution risks. From an ATT&CK perspective, this vulnerability maps to T1059.007 (Command and Scripting Interpreter: Python) and T1566 (Phishing) when used in attack chains involving malicious tar archives delivered through social engineering. The remediation requires updating to patched versions 4.4.16, 5.0.8, or 6.1.7, with the deprecated v3 branch not receiving any patches. Organizations should also consider implementing additional security controls such as sandboxed extraction environments, file type validation, and network segmentation to limit the potential impact of exploitation. The workaround referenced in GHSA-9r2w-394v-53qc provides temporary mitigation for systems unable to upgrade immediately, though this should be viewed as a stopgap measure rather than a permanent solution.

Responsible

GitHub, Inc.

Reservation

07/29/2021

Disclosure

08/31/2021

Moderation

accepted

CPE

ready

EPSS

0.03286

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!