What is CVE-2021-32804?

CVE-2021-32804 is a high-severity vulnerability in Npm Node-tar, classified under Path Traversal. CVSS score: 8.2/10. Published 2021-08-03.

How severe is CVE-2021-32804?

High severity. CVSS v3 base score is 8.2 out of 10.

Is CVE-2021-32804 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Path Traversal in Npm Node-tar

CVE-2021-32804

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.850 (99.4th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.2 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N.

Affected products

Npm Node-tar — versions < 3.2.2, >= 4.0.0, < 4.4.14, >= 5.0.0, < 5.0.6

Weakness classification (CWE)

CWE-22 — Path Traversal

Public proof-of-concept exploits

References

www.npmjs.com/package/tar (x_refsource_MISC)
github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 (x_refsource_CONFIRM)
github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4 (x_refsource_MISC)
www.npmjs.com/advisories/1770 (x_refsource_MISC)
www.oracle.com/security-alerts/cpuoct2021.html (x_refsource_MISC)
cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2021-32804?: CVE-2021-32804 is a high-severity vulnerability in Npm Node-tar, classified under Path Traversal. CVSS score: 8.2/10. Published 2021-08-03.
How severe is CVE-2021-32804?: High severity. CVSS v3 base score is 8.2 out of 10.
Is CVE-2021-32804 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.