CVE-2021-32804

Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization

Description

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

Category

8.2
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 87.71% Top 5%
Third-Party Advisory siemens.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory npmjs.com Third-Party Advisory npmjs.com Third-Party Advisory oracle.com
Affected: npm node-tar
Published at:
Updated at:

References

Link Tags
https://www.npmjs.com/package/tar third party advisory product
https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 third party advisory mitigation
https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4 third party advisory patch
https://www.npmjs.com/advisories/1770 third party advisory mitigation
https://www.oracle.com/security-alerts/cpuoct2021.html third party advisory patch
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2021-32804?
CVE-2021-32804 has been scored as a high severity vulnerability.
How to fix CVE-2021-32804?
To fix CVE-2021-32804, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-32804 being actively exploited in the wild?
It is possible that CVE-2021-32804 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~88% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-32804?
CVE-2021-32804 affects npm node-tar.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.