Login Sign Up

CVE-2021-32804

8.2 HIGH
Path Traversal

📋 TL;DR

The npm tar package before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has an arbitrary file creation/overwrite vulnerability due to insufficient sanitization of absolute paths. Attackers can create or overwrite any file on the system by exploiting repeated path roots in tar archives. This affects any application using vulnerable versions of the tar package to extract untrusted tar files.

💻 Affected Systems

Products:
  • npm tar package (node-tar)
Versions: All versions before 6.1.1, 5.0.6, 4.4.14, and 3.3.2
Operating Systems: All operating systems where Node.js runs (Linux, Windows, macOS, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable when extracting tar archives with the preservePaths flag not set to true (the default). Applications processing untrusted tar files are at highest risk.

📦 What is this software?

Graalvm by Oracle

View all CVEs affecting Graalvm →

Graalvm by Oracle

View all CVEs affecting Graalvm →

Sinec Infrastructure Network Services by Siemens

View all CVEs affecting Sinec Infrastructure Network Services →

Tar by Tar Project

View all CVEs affecting Tar →

Tar by Tar Project

View all CVEs affecting Tar →

Tar by Tar Project

View all CVEs affecting Tar →

Tar by Tar Project

View all CVEs affecting Tar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file overwrite (e.g., overwriting critical system files, creating backdoors, or writing to sensitive locations like /etc/passwd or SSH authorized_keys).

🟠

Likely Case

Data corruption, denial of service, or privilege escalation by overwriting application configuration files or user data.

🟢

If Mitigated

Limited impact if only trusted tar files are processed or proper input validation is implemented.

🌐 Internet-Facing: HIGH if the application processes user-uploaded tar files from the internet without proper validation.
🏢 Internal Only: MEDIUM if internal users can submit tar files to vulnerable applications, but lower than internet-facing due to reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward by crafting a malicious tar file with repeated path roots (e.g., ////home/user/.bashrc). Public proof-of-concept code is available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.1, 5.0.6, 4.4.14, or 3.3.2 (depending on your major version)

Vendor Advisory: https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9

Restart Required: No

Instructions:

1. Identify the tar package version in your project (e.g., using 'npm list tar'). 2. Update to a patched version: For tar v6.x: 'npm update tar@6.1.1'; For v5.x: 'npm update tar@5.0.6'; For v4.x: 'npm update tar@4.4.14'; For v3.x: 'npm update tar@3.3.2'. 3. Test your application to ensure compatibility.

🔧 Temporary Workarounds

Custom onentry method sanitization

all

Implement a custom onentry method in tar extraction to sanitize entry.path by removing all leading slashes.

// Example Node.js code snippet:
const tar = require('tar');
tar.extract({
  file: 'archive.tar',
  onentry: (entry) => {
    entry.path = entry.path.replace(/^\/+/, '');
  }
});

Filter method to block absolute paths

all

Use a filter method during tar extraction to reject any entries with absolute paths.

// Example Node.js code snippet:
const tar = require('tar');
tar.extract({
  file: 'archive.tar',
  filter: (path, entry) => !path.startsWith('/')
});

🧯 If You Can't Patch

  • Only extract tar files from trusted sources and validate file paths before processing.
  • Implement strict file permission controls to limit the directories where tar extraction can write files.

🔍 How to Verify

Check if Vulnerable:

Check the tar package version in your project: 'npm list tar' or check package.json/package-lock.json for versions before 6.1.1, 5.0.6, 4.4.14, or 3.3.2.

Check Version:

npm list tar

Verify Fix Applied:

After updating, verify the installed version: 'npm list tar' should show 6.1.1, 5.0.6, 4.4.14, or 3.3.2 or higher. Test extraction with a crafted tar file containing repeated path roots to ensure it's blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file creation or overwrite events in system logs during tar extraction processes.
  • Errors or warnings in application logs related to path sanitization or failed tar extractions.

Network Indicators:

  • Inbound network traffic containing tar files to applications known to use the vulnerable tar package.

SIEM Query:

Example: Search for process executions of 'node' or application names with command-line arguments indicating tar extraction, combined with file modification events in sensitive directories.

📊 Metadata

CVE ID: CVE-2021-32804
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-22
Published: August 3, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32804, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)