CVE-2021-32804
Arbitrary File Creation vulnerability in tar (npm)

Arbitrary File Creation Proof of concept Fixable By Resolved Security

What is CVE-2021-32804 About?

`node-tar` has a path traversal vulnerability impacting versions prior to 3.2.2, 4.4.14, 5.0.6, and 6.1.1. It incorrectly handles absolute paths with repeated path roots, allowing arbitrary file creation and overwrite during archive extraction. This vulnerability is moderately easy to exploit by crafting a malicious tar archive.

Affected Software

  • tar
    • >6.0.0, <6.1.1
    • >4.0.0, <4.4.14
    • <3.2.2
    • >5.0.0, <5.0.6

Technical Details

The node-tar library attempts to prevent path traversal by converting absolute paths in a tar archive to relative paths when preservePaths is not set. However, its sanitization logic is flawed when confronted with multiple, repeated path roots (e.g., ////home/user/.bashrc). The logic only strips a single path root, leaving ///home/user/.bashrc which still resolves to an absolute path. When such a path is encountered during extraction, node-tar writes the file to the system's absolute root, allowing an attacker to create or overwrite arbitrary files outside the intended extraction directory. This can lead to arbitrary file creation, arbitrary file overwrite, and potentially arbitrary code execution if critical system files are overwritten or executable files are placed in an accessible location.

What is the Impact of CVE-2021-32804?

Successful exploitation may allow attackers to create or overwrite arbitrary files on the system, potentially leading to privilege escalation, arbitrary code execution, or complete system compromise.

What is the Exploitability of CVE-2021-32804?

Exploitation involves creating a specially crafted tar archive containing file entries with fragmented absolute paths (e.g., ////etc/passwd). This is a local or remote vulnerability depending on how the tar archive is received and processed; it can be remote if an application unpacks untrusted archives from external sources. It requires no authentication or specific privileges beyond the ability to provide an archive for processing. The complexity is moderate, requiring knowledge of tar archive structures and the path sanitization bypass. The presence of the vulnerable node-tar version in an application that unpacks untrusted archives is the main risk factor, increasing the likelihood of exploitation significantly.

What are the Known Public Exploits?

PoC Author Link Commentary
yamory Link PoC for CVE-2021-32804

What are the Available Fixes for CVE-2021-32804?

A Fix by Resolved Security Exists!
Learn how we backport CVE fixes to your open-source libraries effortlessly.

About the Fix from Resolved Security

This patch introduces a new function to recursively and reliably strip all leading absolute path roots from file paths before extracting or writing archive entries, regardless of how many times absolute components are nested. This prevents path traversal attacks present in CVE-2021-32804, which allowed crafted tar archives to overwrite arbitrary files outside the intended extraction directory by supplying multiple nested absolute paths; by fully removing all absolute prefixes, the patch ensures extraction remains within the designated directory.

Available Upgrade Options

  • tar
    • <3.2.2 → Upgrade to 3.2.2
  • tar
    • >4.0.0, <4.4.14 → Upgrade to 4.4.14
  • tar
    • >5.0.0, <5.0.6 → Upgrade to 5.0.6
  • tar
    • >6.0.0, <6.1.1 → Upgrade to 6.1.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-32804?

Similar Vulnerabilities: CVE-2007-4559 , CVE-2000-0322 , CVE-2021-32803 , CVE-2022-26280 , CVE-2022-45143

All Rights reserved 2025
Privacy Policy