Path Traversal in Npm Node-tar
CVE-2021-37712
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified b…
Vulnerability class: Path Traversal (Directory Traversal)
EPSS: 0.001 (24.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.2 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N.
Affected products
- Npm Node-tar — versions < 4.4.18, >= 5.0.0, < 5.0.10, >= 6.0.0, < 6.1.9
Weakness classification (CWE)
Public proof-of-concept exploits
References
- www.npmjs.com/package/tar
- github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p
- www.oracle.com/security-alerts/cpuoct2021.html
- DSA-5008 (vendor-advisory)
- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- [debian-lts-announce] 20221212 [SECURITY] [DLA 3237-1] node-tar security update (mailing-list)
Frequently asked questions
- What is CVE-2021-37712?
- CVE-2021-37712 is a high-severity vulnerability in Npm Node-tar, classified under Path Traversal. CVSS score: 8.2/10. Published 2021-08-31.
- How severe is CVE-2021-37712?
- High severity. CVSS v3 base score is 8.2 out of 10.
- Is CVE-2021-37712 known to be exploited?
- 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.