CVE-2019-13173
Arbitrary File Overwrite vulnerability in fstream (npm)

Arbitrary File Overwrite No known exploit Fixable By Resolved Security

What is CVE-2019-13173 About?

Versions of the `fstream` package prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. This vulnerability allows an attacker to overwrite arbitrary files on the system when extracting malicious tarballs containing hardlinks and matching file names. This is potentially highly impactful, enabling denial of service or remote code execution, and is relatively easy to exploit with a specially crafted archive.

Affected Software

fstream <1.0.12

Technical Details

The fstream package, specifically its fstream.DirWriter() function in versions prior to 1.0.12, is vulnerable to an arbitrary file overwrite through a specific type of malicious tarball. The vulnerability arises when a tarball contains two critical elements: a hardlink to an existing file on the target system (e.g., /etc/passwd) and another file within the same tarball whose name matches the target of that hardlink (e.g., a file named passwd with attacker-controlled content). During extraction by fstream.DirWriter(), if the hardlink is processed first, fstream will effectively create a link pointing to the system's target file. Subsequently, when the second file (with the same content-controlling name) is extracted, fstream will attempt to write its contents to the linked path, thereby overwriting the original system file. This mechanism allows an attacker to replace critical operating system files with arbitrary content, leading to denial of service, privilege escalation, or even remote code execution if the overwritten file is an executable or configuration file.

What is the Impact of CVE-2019-13173?

Successful exploitation may allow attackers to overwrite arbitrary files on the file system, leading to denial of service, privilege escalation, or potentially remote code execution.

What is the Exploitability of CVE-2019-13173?

Exploitation of this Arbitrary File Overwrite vulnerability requires an attacker to provide a specially crafted tarball to an application that uses the vulnerable fstream library to extract it. The attacker needs to embed specific hardlinks and files within the archive. No authentication is required if the application processes untrusted tarball uploads or similar inputs. The attack is typically remote if such a file can be transmitted. The complexity is moderate, requiring knowledge of the target system's file paths and the ability to craft a malicious tarball. The primary prerequisite is that the application uses the fstream.DirWriter() function to handle untrusted archives. The risk factor increases significantly if the application automatically extracts uploaded archives without sufficient validation or sandboxing.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2019-13173?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

The patch updates a file type check to also remove files with multiple hard links (nlink > 1) before writing. This prevents CVE-2019-13173, a vulnerability that could allow arbitrary file overwrites via hard links, by ensuring that files with multiple links are safely deleted before new data is written.

Available Upgrade Options

  • fstream
    • <1.0.12 → Upgrade to 1.0.12

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2019-13173?

Similar Vulnerabilities: CVE-2019-10023 , CVE-2020-17521 , CVE-2021-27905 , CVE-2022-24765 , CVE-2023-49089

All Rights reserved 2025
Privacy Policy