Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2021-37713

HIGH
Published 2021-08-31T16:50:09
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2021-37713. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1
8.2
/10
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Base Score Metrics
Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14
0.009
probability
of exploitation in the wild

There is a 0.9% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25
Exploit Probability
Percentile: 0.751
Higher than 75.1% of all CVEs

Attack Vector Metrics

Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED

Impact Metrics

Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Description

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\path`. If the drive letter does not match the extraction target, for example `D:\extraction\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

npm

node-tar

Affected Versions:

< 4.4.18 >= 5.0.0, < 5.0.10 >= 6.0.0, < 6.1.9

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization

GHSA-5955-9wpr-37jh

Advisory Details

### Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\path`. If the drive letter does not match the extraction target, for example `D:\extraction\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. ### Patches 4.4.18 || 5.0.10 || 6.1.9 ### Workarounds There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves. ### Fix The fixed versions strip path roots from all paths prior to being resolved against the extraction target folder, even if such paths are not "absolute". Additionally, a path starting with a drive letter and then two dots, like `c:../`, would bypass the check for `..` path portions. This is checked properly in the patched versions. Finally, a defense in depth check is added, such that if the `entry.absolute` is outside of the extraction taret, and we are not in preservePaths:true mode, a warning is raised on that entry, and it is skipped. Currently, it is believed that this check is redundant, but it did catch some oversights in development.

Affected Packages

npm tar
ECOSYSTEM: ≥0 <4.4.18
npm tar
ECOSYSTEM: ≥5.0.0 <5.0.10
npm tar
ECOSYSTEM: ≥6.0.0 <6.1.9

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

References

WEB https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-37713
WEB https://github.com/isaacs/node-tar/commit/52b09e309bcae0c741a7eb79a17ef36e7828b946
WEB https://github.com/isaacs/node-tar/commit/82eac952f7c10765969ed464e549375854b26edc
WEB https://github.com/isaacs/node-tar/commit/875a37e3ec031186fc6599f6807341f56c584598
WEB https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
PACKAGE https://github.com/npm/node-tar
WEB https://www.npmjs.com/package/tar
WEB https://www.oracle.com/security-alerts/cpuoct2021.html

Advisory provided by GitHub Security Advisory Database. Published: August 31, 2021, Modified: August 31, 2021

References

https://www.npmjs.com/package/tar
https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh
https://www.oracle.com/security-alerts/cpuoct2021.html
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Published: 2021-08-31T16:50:09
Last Modified: 2024-08-04T01:23:01.533Z
Copied to clipboard!