CVE-2021-32803: Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

Published Aug 3, 2021
·
Updated

Impact

Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution

node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.

This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur.

By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.

This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

Patches

3.2.3 || 4.4.15 || 5.0.7 || 6.1.2

Workarounds

Users may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.

js const tar = require('tar')

tar.x({ file: 'archive.tgz', filter: (file, entry) => { if (entry.type === 'SymbolicLink') { return false } else { return true } } })

Users are encouraged to upgrade to the latest patch versions, rather than attempt to sanitize tar input themselves.

Other sources

Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient symlink protection. An attacker could use a specially-crafted tar file containing "dot dot" sequences (/../) to create or overwrite arbitrary files on the system.

IBM

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

The npm package "tar" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.

Affected Software

19 affected componentsFixes available
redhat/rh-nodejs14-nodejs<0:14.17.5-1.el7
0:14.17.5-1.el7
redhat/rh-nodejs12-nodejs<0:12.22.5-1.el7
0:12.22.5-1.el7
redhat/rh-nodejs12-nodejs-nodemon<0:2.0.3-5.el7
0:2.0.3-5.el7
redhat/nodejs-tar<3.2.3
3.2.3
redhat/nodejs-tar<4.4.15
4.4.15
redhat/nodejs-tar<5.0.7
5.0.7
redhat/nodejs-tar<6.1.2
6.1.2
npm/tar>=3.0.0<3.2.3
3.2.3
npm/tar>=6.0.0<6.1.2
6.1.2
npm/tar>=5.0.0<5.0.7
5.0.7
npm/tar>=4.0.0<4.4.15
4.4.15
Tar Project Tar Node.js<3.2.3
Tar Project Tar Node.js>=4.0.0<4.4.15
Tar Project Tar Node.js>=5.0.0<5.0.7
Tar Project Tar Node.js>=6.0.0<6.1.2
Oracle GraalVM=20.3.3
Oracle GraalVM=21.2.0
Siemens Sinec Infrastructure Network Services<1.0.1.1
IBM Security QRadar EDR<=3.12

Remediation

Patch Available

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Patch Available

https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20

Patch Available

https://www.oracle.com/security-alerts/cpuoct2021.html

Event History

Aug 3, 2021
CVE Published
12:00 AM
Advisory Published
via GitHub·07:00 PM
CVE Published
via MITRE·07:05 PM
Data Sourced
via MITRE·07:05 PM
DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-32803?

CVE-2021-32803 is a vulnerability in the node-tar package that allows a local attacker to traverse directories on the system by exploiting insufficient symlink protection.

2

What is the severity of CVE-2021-32803?

The severity of CVE-2021-32803 is high with a CVSS score of 8.1.

3

How does CVE-2021-32803 affect the node-tar package?

CVE-2021-32803 affects the npm package "tar" (aka node-tar) versions before 6.1.2, 5.0.7, 4.4.15, and 3.2.3.

4

How can I fix CVE-2021-32803?

To fix CVE-2021-32803, you need to update the node-tar package to version 6.1.2, 5.0.7, 4.4.15, or 3.2.3.

5

Where can I find more information about CVE-2021-32803?

You can find more information about CVE-2021-32803 on the following references: npmjs.com, GitHub advisory GHSA-r628-mhmh-qjhw, and the GitHub commit 9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203