cbcvebase.
CVE-2021-32804
published 2021-08-03

CVE-2021-32804: The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient…

PriorityP351high8.1CVSS 3.1
AVNACLPRNUIRSUCNIHAH
EPSS
15.01%
96.3th percentile
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

Affected

16 ranges
VendorProductVersion rangeFixed in
debiannode-tar< node-tar 6.1.7+~cs11.3.10-1 (bookworm)node-tar 6.1.7+~cs11.3.10-1 (bookworm)
gnutar>= 0 < 3.2.23.2.2
gnutar>= 4.0.0 < 4.4.144.4.14
gnutar>= 5.0.0 < 5.0.65.0.6
gnutar>= 6.0.0 < 6.1.16.1.1
isaacsnode-tar>= 0 < 6.0.5+ds1+~cs11.3.9-1+deb11u16.0.5+ds1+~cs11.3.9-1+deb11u1
isaacsnode-tar>= 0 < 6.1.7+~cs11.3.10-16.1.7+~cs11.3.10-1
isaacsnode-tar>= 0 < 6.1.7+~cs11.3.10-16.1.7+~cs11.3.10-1
isaacsnode-tar>= 0 < 6.1.7+~cs11.3.10-16.1.7+~cs11.3.10-1
oraclegraalvm
oraclegraalvm
siemenssinec_infrastructure_network_services< 1.0.1.11.0.1.1
tar_projecttar< 3.2.23.2.2
tar_projecttar>= 4.0.0 < 4.4.144.4.14
tar_projecttar>= 5.0.0 < 5.0.65.0.6
tar_projecttar>= 6.0.0 < 6.1.16.1.1

Detection & IOCsextracted from sources · hover to see the quote

  • Tar archive entries with repeated absolute path roots (e.g. '////home/user/.bashrc' or '///home/user/.bashrc') are the exploit payload pattern — inspect entry.path values in tar files for multiple consecutive leading slashes before a path component
  • Monitor for unexpected file creation or overwrite outside the intended extraction directory when node-tar (npm package 'tar') is used to extract archives, particularly in versions before 3.3.2, 4.4.14, 5.0.6, and 6.1.1
  • A workaround/detection hook: implement a custom 'onentry' method checking entry.path for absolute paths (paths still starting with '/') after node-tar processing, or a 'filter' method rejecting entries with absolute paths — triggering either indicates a malicious archive
  • ·The 'preservePaths' flag being set to 'true' disables absolute path stripping entirely — any deployment using preservePaths:true is fully exposed to path traversal regardless of this CVE's specific bypass
  • ·Red Hat Quay 3.3 uses an affected version of nodejs-tar but is in extended life phase — no fix will be delivered for that version; treat all Quay 3.3 deployments as permanently vulnerable
  • ·RHEL 8 and Red Hat Software Collections embed node-tar inside the npm command itself — a specially crafted node module delivered via npm install can exploit this to write files outside its package directory

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:P
ghsa8.1HIGH
osv8.1HIGH
vendor_debian8.2HIGH
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.