CVE-2021-37712
Arbitrary File Creation vulnerability in tar (npm)

Arbitrary File Creation No known exploit Fixable By Resolved Security

What is CVE-2021-37712 About?

This vulnerability in node-tar allows for arbitrary file creation, overwrite, and code execution by bypassing symlink checks during archive extraction. It leverages specially crafted tar archives containing unicode normalization or Windows 8.3 short path collisions to manipulate file system entities. Exploitation is plausible for an attacker who can supply a malicious tar file.

Affected Software

  • tar
    • >3.0.0, <4.4.18
    • >6.0.0, <6.1.9
    • >5.0.0, <5.0.10

Technical Details

The vulnerability stemmed from insufficient logic in node-tar designed to prevent symlink traversal. Specifically, it failed to correctly handle unicode values that normalize to the same string (e.g., NFKD normalization) and Windows 8.3 short path collisions. An attacker could craft a tar archive with two directories whose names resolve to the same file system entity due to these normalization or collision issues. Following these, a symbolic link would be included using one form of the name, and then a file using the other form. This sequence of operations allows the symlink check to be bypassed for directories, enabling the attacker to create a symlink to an arbitrary location and subsequently extract files into that location, leading to arbitrary file creation or overwrite. The patch addresses this by performing String.normalize('NFKD'), normalizing slashes on Windows, and clearing the directory cache on symbolic link encounters on Windows.

What is the Impact of CVE-2021-37712?

Successful exploitation may allow attackers to create or overwrite arbitrary files on the system, which can lead to remote code execution, system configuration modification, or data destruction.

What is the Exploitability of CVE-2021-37712?

Exploitation involves crafting a specialized tar archive, indicating a moderate level of complexity. No specific authentication is required, as the vulnerability lies in the processing of the archive itself. Privilege requirements are limited to the ability to provide an untrusted tar file to the application. This is typically a remote attack vector if the application processes tar files from external sources. Special conditions include the specific handling of unicode normalization or Windows 8.3 short paths; on Windows, these are more prevalent. Risk factors are increased when applications process untrusted archive files, especially in environments where unicode path names are common or on Windows systems.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2021-37712?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

This patch fixes CVE-2021-37712 by implementing stricter and more robust path normalization and handling in the tar extraction process, especially for Windows, where path equivalence and collisions can occur due to case-insensitivity, Unicode normalization, and 8.3 shortnames. By aggressively normalizing paths and disabling parallelization for reservations on Windows, and by clearing cached directory entries when potential symlink or normalization collisions are detected, it prevents malicious tar entries from bypassing security checks and writing files outside the intended extraction directory. This closes the path traversal and arbitrary write vulnerabilities that CVE-2021-37712 exploited.

Available Upgrade Options

  • tar
    • >3.0.0, <4.4.18 → Upgrade to 4.4.18
  • tar
    • >5.0.0, <5.0.10 → Upgrade to 5.0.10
  • tar
    • >6.0.0, <6.1.9 → Upgrade to 6.1.9

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-37712?

Similar Vulnerabilities: CVE-2007-4559 , CVE-2015-7546 , CVE-2018-1000005 , CVE-2019-11358 , CVE-2020-28271

All Rights reserved 2025
Privacy Policy