CVE-2021-37713

Name of the Vulnerable Software and Affected Versions node-tar versions prior to 4.4.18 node-tar versions prior to 5.0.10 node-tar versions prior to 6.1.9

Description The issue is related to insufficient path sanitization in the node-tar module, which can lead to arbitrary file creation, overwrite, and arbitrary code execution. This occurs when extracting tar files that contain a path with a drive letter different from the extraction target on Windows systems. The path.resolve(extractionDirectory, entryPath) function resolves against the current working directory on the specified drive, rather than the extraction target directory. Additionally, paths starting with a drive letter and then two dots, such as C:../foo, can bypass the check for .. path portions. This issue only affects users of node-tar on Windows systems.

Recommendations For node-tar versions prior to 4.4.18, update to version 4.4.18 or later. For node-tar versions prior to 5.0.10, update to version 5.0.10 or later. For node-tar versions prior to 6.1.9, update to version 6.1.9 or later. If you are still using a v3 release, update to a more recent version of node-tar, as the v3 branch has been deprecated and did not receive patches for these issues.