VYPR
← All advisories
High severityNVD Advisory· Published Jul 2, 2019· Updated Aug 4, 2024

CVE-2019-13173

CVE-2019-13173

Description

fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink, will overwrite the system's file with the contents of the extracted file. The fstream.DirWriter() function is vulnerable.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

fstream before 1.0.12 allows arbitrary file overwrite via crafted tarballs using hardlinks to existing system files.

Vulnerability

CVE-2019-13173 is an arbitrary file overwrite vulnerability in the fstream Node.js library, versions before 1.0.12. The root cause lies in the fstream.DirWriter() function's handling of hardlinks when extracting tarballs. If a tarball contains a hardlink pointing to a file that already exists on the system, and also includes another file entry matching that hardlink's target path, the library will overwrite the existing system file with the contents of the extracted file [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious tarball containing a hardlink to a sensitive system file (e.g., /etc/passwd) and a file entry with the same path. When a user or automated process extracts the tarball using a vulnerable version of fstream, the system file will be overwritten with the attacker-controlled content. No special authentication or network position is required beyond the ability to deliver the tarball to a target system where extraction occurs via fstream [1][2].

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the system with arbitrary content. This could lead to privilege escalation (by overwriting configuration or executable files), denial of service, or other forms of compromise, depending on which files are overwritten [2].

Mitigation

The vulnerability is fixed in fstream version 1.0.12. The fix, implemented in commit [6a77d2f] [3], checks if the existing file is a hardlink (nlink > 1) when the current type is 'File', and treats it as a type change requiring deletion before writing. Users should update to the patched version immediately. The issue was also addressed in Ubuntu security notice USN-4123-1 [2].

References
  1. NVD - CVE-2019-13173
  2. USN-4123-1: npm/fstream vulnerability | Ubuntu security notices | Ubuntu
  3. Clobber a Link if it's in the way of a File · npm/fstream@6a77d2f

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
fstreamnpm
< 1.0.121.0.12

Affected products

31

Patches

1
6a77d2fa6e14

Clobber a Link if it's in the way of a File

https://github.com/npm/fstreamisaacsMay 15, 2019via ghsa
commit
1 file changed · +1 1
  • lib/writer.js+1 1 modified
    @@ -147,7 +147,7 @@ Writer.prototype._stat = function (current) {
 
     // if it's a type change, then we need to clobber or error.
     // if it's not a type change, then let the impl take care of it.
-    if (currentType !== self.type) {
+    if (currentType !== self.type || self.type === 'File' && current.nlink > 1) {
       return rimraf(self._path, function (er) {
         if (er) return self.error(er)
         self._old = null

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.