Vulnerability identifier: #VU58205

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-32804

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
tar
Web applications / JS libraries

Vendor: npm Inc.

Description

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to a logic issue when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite.

Mitigation
Install update from vendor's website.

Vulnerable software versions

tar: 3.0.0 - 6.1.0

---

Fixed software versions

CPE

• cpe:2.3:a:npm:tar:6.1.0:*:*:*:*:nodejs:*:*

External links
http://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4
http://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9

---

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?