Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
Description
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \ and / characters as path separators, however \ is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
node-tar before 4.4.16, 5.0.8, and 6.1.7 allows arbitrary file creation/overwrite and code execution via symlink directory cache poisoning.
Vulnerability
The npm package tar (node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 contains an arbitrary file creation/overwrite and arbitrary code execution vulnerability [1][2][3]. The vulnerability arises from insufficient symlink protection in the directory cache logic. When extracting a tar archive, node-tar caches paths of created directories to avoid unnecessary stat calls. However, if an archive contains both a directory and a symlink with the same name, where the names use backslashes (\) as path separators on POSIX systems, the cache checking logic incorrectly treats \ as a separator even though it is a valid filename character on POSIX. This allows an attacker to first create a directory, then replace it with a symlink, bypassing the symlink check. Additionally, on case-insensitive filesystems, a similar confusion occurs: a directory FOO followed by a symlink foo removes the directory from the filesystem but not from the internal cache, causing subsequent files within FOO to be extracted into the symlink target [2][3].
Exploitation
An attacker needs to supply a crafted tar archive to a system using a vulnerable version of node-tar. No special network position or authentication is required if the archive is extracted by a user or automated process. The attacker must include in the archive a directory entry and a subsequent symlink entry with the same name (using backslashes on POSIX or case variation on case-insensitive filesystems). The extraction process will create the directory, then replace it with a symlink pointing to an arbitrary location. A subsequent file entry within the original directory name will then be extracted into the symlink target, allowing the attacker to write files outside the intended extraction directory [2][3].
Impact
Successful exploitation allows an attacker to create or overwrite arbitrary files on the filesystem with the privileges of the process extracting the tar archive. This can lead to arbitrary code execution if the overwritten file is executable or if a configuration file is modified. The attacker gains the ability to write files to any location accessible by the extraction process, potentially escalating privileges or compromising the system [2][3].
Mitigation
The vulnerability is fixed in node-tar versions 4.4.16, 5.0.8, and 6.1.7 [2][3]. Users should update to these or later versions. The v3 branch is deprecated and did not receive a patch; users on v3 should upgrade to a supported branch. If updating is not immediately possible, a workaround is to avoid extracting untrusted tar archives with vulnerable versions, or to use the preservePaths: false option (default) which provides some protection but may not fully mitigate this issue [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarnpm | >= 3.0.0, < 4.4.16 | 4.4.16 |
tarnpm | >= 5.0.0, < 5.0.8 | 5.0.8 |
tarnpm | >= 6.0.0, < 6.1.7 | 6.1.7 |
Affected products
15- ghsa-coords14 versionspkg:npm/tarpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/npmpkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/nodejs12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP2pkg:rpm/suse/nodejs14&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP3
>= 3.0.0, < 4.4.16+ 13 more
- (no CPE)range: >= 3.0.0, < 4.4.16
- (no CPE)range: < 1:14.18.2-2.module_el8.5.0+2618+8d46dafd
- (no CPE)range: < 1:14.18.2-2.module_el8.5.0+2618+8d46dafd
- (no CPE)range: < 1:14.18.2-2.module_el8.5.0+2618+8d46dafd
- (no CPE)range: < 1:14.18.2-2.module_el8.5.0+2618+8d46dafd
- (no CPE)range: < 2.0.15-1.module_el8.6.0+2904+f21ad6f4
- (no CPE)range: < 23-3.module_el8.5.0+2618+8d46dafd
- (no CPE)range: < 1:6.14.15-1.14.18.2.2.module_el8.5.0+2618+8d46dafd
- (no CPE)range: < 12.22.9-1.38.1
- (no CPE)range: < 12.22.7-4.22.1
- (no CPE)range: < 12.22.7-4.22.1
- (no CPE)range: < 14.18.1-6.18.2
- (no CPE)range: < 14.18.1-15.21.2
- (no CPE)range: < 14.18.1-15.21.2
- npm/node-tarv5Range: < 4.4.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-9r2w-394v-53qcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-37701ghsaADVISORY
- www.debian.org/security/2021/dsa-5008ghsavendor-advisoryWEB
- cert-portal.siemens.com/productcert/pdf/ssa-389290.pdfghsaWEB
- github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qcghsaWEB
- lists.debian.org/debian-lts-announce/2022/12/msg00023.htmlghsamailing-listWEB
- www.npmjs.com/package/targhsaWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsaWEB
News mentions
0No linked articles in our index yet.