CVE-2021-37712

Name of the Vulnerable Software and Affected Versions node-tar versions prior to 4.4.18 node-tar versions prior to 5.0.10 node-tar versions prior to 6.1.9

Description The issue is related to the handling of tar archives by the node-tar module, which can lead to arbitrary file creation, overwrite, and code execution. This is due to insufficient logic when extracting tar files containing directories and symlinks with names that have the same unicode normalization. On Windows systems, long path portions can resolve to the same file system entities as their 8.3 "short path" counterparts, allowing an untrusted tar file to symlink into an arbitrary location and extract arbitrary files.

Recommendations For node-tar versions prior to 4.4.18, update to version 4.4.18 or later. For node-tar versions prior to 5.0.10, update to version 5.0.10 or later. For node-tar versions prior to 6.1.9, update to version 6.1.9 or later. As a temporary workaround, users can create a custom filter method to prevent the extraction of symbolic links, such as:

const tar = require('tar')
tar.x({
 file: 'archive.tgz',
 filter: (file, entry) => {
  if (entry.type === 'SymbolicLink') {
   return false
  } else {
   return true
  }
 }
})