CVE-2021-37713
Arbitrary File Creation vulnerability in tar (npm)

Arbitrary File Creation No known exploit Fixable By Resolved Security

What is CVE-2021-37713 About?

This vulnerability in node-tar allows for arbitrary file creation, overwrite, and code execution exclusively on Windows systems by bypassing path sanitization during archive extraction. It leverages drive letter and `..` path segment weaknesses to extract files outside the designated directory. Exploitation is plausible for an attacker who can supply a malicious tar file.

Affected Software

  • tar
    • >6.0.0, <6.1.9
    • >5.0.0, <5.0.10
    • <4.4.18

Technical Details

The vulnerability specifically impacts Windows systems within the node-tar package. It addresses two primary flaws in path sanitization designed to prevent directory traversal: 1) The logic failed to properly handle non-absolute paths containing a drive letter different from the extraction target (e.g., C:some\path when extracting to D:\extraction). In such cases, path.resolve would resolve the path against the current working directory of the specified drive, not the extraction target. 2) A .. path segment immediately following a drive letter (e.g., C:../foo) was not correctly sanitized by the logic that checked for .. in split path portions. An attacker could craft a tar archive using these path constructs to achieve directory traversal, allowing the extraction of files to arbitrary locations outside the intended extraction directory, leading to arbitrary file creation or overwrite. The fix involves stripping path roots, checking .. path portions correctly after drive letters, and adding a defense-in-depth check for entries outside the extraction target.

What is the Impact of CVE-2021-37713?

Successful exploitation may allow attackers to create or overwrite arbitrary files on the system, which can lead to remote code execution, system configuration modification, or data destruction.

What is the Exploitability of CVE-2021-37713?

Exploitation is of moderate complexity, requiring specific knowledge of Windows path handling and crafting a malicious tar archive. No authentication is needed, as the vulnerability is triggered by the archive's content. Privilege requirements are limited to the ability to provide an untrusted tar file to the application. This is typically a remote attack if the application processes tar files from external sources. Special conditions include the target system being Windows and the application using the vulnerable node-tar library. Risk factors increase when applications process untrusted archive files on Windows.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2021-37713?

A Fix by Resolved Security Exists!
See how we help you strengthen security with automated backported fixes for your libraries.

About the Fix from Resolved Security

This patch strengthens path sanitization in the tar extraction logic, ensuring that paths containing ".." components or Windows drive-local relative paths (like "C:..") are not allowed, and absolute paths are properly stripped of their roots. By enforcing these rules and validating that no extracted path escapes the intended extraction directory, it fixes CVE-2021-37713 by preventing directory traversal attacks that could allow files to be written outside the target directory.

Available Upgrade Options

  • tar
    • <4.4.18 → Upgrade to 4.4.18
  • tar
    • >5.0.0, <5.0.10 → Upgrade to 5.0.10
  • tar
    • >6.0.0, <6.1.9 → Upgrade to 6.1.9

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2021-37713?

Similar Vulnerabilities: CVE-2007-4559 , CVE-2015-7546 , CVE-2018-1000005 , CVE-2019-11358 , CVE-2020-28271

All Rights reserved 2025
Privacy Policy