CVE-2021-37701

Name of the Vulnerable Software and Affected Versions node-tar versions prior to 4.4.16 node-tar versions prior to 5.0.8 node-tar versions prior to 6.1.7

Description The issue is related to the handling of tar archives by the node-tar module, which can lead to arbitrary file creation, overwrite, and arbitrary code execution. This is due to insufficient logic when extracting tar files containing both a directory and a symlink with the same name, where the symlink and directory names use backslashes as a path separator on posix systems. The cache checking logic used both and `/` characters as path separators, but is a valid filename character on posix systems. This allows an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location. A similar issue can arise on case-insensitive filesystems.

Recommendations For node-tar versions prior to 4.4.16, update to version 4.4.16 or later. For node-tar versions prior to 5.0.8, update to version 5.0.8 or later. For node-tar versions prior to 6.1.7, update to version 6.1.7 or later. As a temporary workaround for users who cannot update, create a custom filter method to prevent the extraction of symbolic links, such as:

const tar = require('tar')
tar.x({
 file: 'archive.tgz',
 filter: (file, entry) => {
  if (entry.type === 'SymbolicLink') {
   return false
  } else {
   return true
  }
 }
})