CVE-2021-32804

Name of the Vulnerable Software and Affected Versions node-tar versions prior to 3.3.2, 4.4.14, 5.0.6, and 6.1.1

Description The issue is related to the node-tar module for handling tar archives in Node.js, which has a problem with incorrect filtering of the '/' character sequence. This could allow a remote attacker to compromise data integrity and cause a denial of service. The npm package "tar" (aka node-tar) has an arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. The node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. However, this logic was insufficient when file paths contained repeated path roots.

Recommendations For versions prior to 3.3.2, 4.4.14, 5.0.6, and 6.1.1, update to the respective fixed versions (3.3.2, 4.4.14, 5.0.6, or 6.1.1) to resolve the issue. As a temporary workaround, consider creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths.