CVE-2021-37712 – This vulnerability in the npm tar package allow... (How to Fix)

Q: What is the severity of CVE-2021-37712?

CVE-2021-37712 has a CVSS score of 8.2 (HIGH). This vulnerability in the npm tar package allows attackers to bypass symlink checks by exploiting Unicode normalization and Windows short path behavior. It enables arbitrary file creation/overwrite and potentially arbitrary code execution when processing malicious tar archives. Anyone using vulnerable versions of node-tar to extract untrusted tar files is affected.

📋 TL;DR

This vulnerability in the npm tar package allows attackers to bypass symlink checks by exploiting Unicode normalization and Windows short path behavior. It enables arbitrary file creation/overwrite and potentially arbitrary code execution when processing malicious tar archives. Anyone using vulnerable versions of node-tar to extract untrusted tar files is affected.

💻 Affected Systems

Products:

npm tar package (node-tar)

Versions: All versions before 4.4.18, 5.0.10, and 6.1.9; v3 branch is deprecated and unpatched.

Operating Systems: All operating systems, with specific Windows exploitation vectors

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when extracting tar files from untrusted sources. The vulnerability requires processing a specially crafted tar archive.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Arbitrary file overwrite allowing privilege escalation, data corruption, or persistence mechanisms.

🟢

If Mitigated

Limited impact if only trusted tar files are processed with proper file system permissions.

🌐 Internet-Facing: HIGH - Web applications processing user-uploaded tar files are directly vulnerable.

🏢 Internal Only: MEDIUM - Internal systems processing tar files from untrusted sources remain vulnerable.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious tar file with specific Unicode and path characteristics. Public proof-of-concept exists in advisory references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.18, 5.0.10, or 6.1.9 depending on major version

Vendor Advisory: https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p

Restart Required: No

Instructions:

1. Identify tar package version: npm list tar. 2. Update to patched version: npm update tar@latest. 3. For v3 users: Migrate to v4+ or apply workaround.

🔧 Temporary Workarounds

Validate tar files before extraction

all

Implement validation logic to check tar files from untrusted sources before extraction.

Use alternative extraction libraries

all

Temporarily switch to alternative tar extraction libraries while patching.

🧯 If You Can't Patch

Restrict tar file processing to trusted sources only
Run tar extraction in isolated containers with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check tar package version: npm list tar | grep tar

Check Version:

npm list tar | grep tar

Verify Fix Applied:

Verify version is 4.4.18+, 5.0.10+, or 6.1.9+: npm list tar

📡 Detection & Monitoring

Log Indicators:

Unusual file creation in system directories
Tar extraction errors related to symlinks or Unicode paths

Network Indicators:

Large tar file uploads to web applications
Unusual outbound connections after tar processing

SIEM Query:

Process execution where command contains 'tar' AND file path contains unusual Unicode characters

📊 Metadata

CVE ID: CVE-2021-37712

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-22

Published: August 31, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Patch,Third Party Advisory
https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html Mailing List,Third Party Advisory
https://www.debian.org/security/2021/dsa-5008 Third Party Advisory
https://www.npmjs.com/package/tar Product
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf Patch,Third Party Advisory
https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/12/msg00023.html Mailing List,Third Party Advisory
https://www.debian.org/security/2021/dsa-5008 Third Party Advisory
https://www.npmjs.com/package/tar Product
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37712, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Graalvm by Oracle

Graalvm by Oracle

Sinec Infrastructure Network Services by Siemens

Tar by Npmjs

Tar by Npmjs

Tar by Npmjs

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Validate tar files before extraction

Use alternative extraction libraries

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities