CVE-2021-38511
Description
An issue was discovered in the tar crate before 0.4.36 for Rust. When symlinks are present in a TAR archive, extraction can create arbitrary directories via .. traversal.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The tar crate before 0.4.36 for Rust allows arbitrary directory creation via path traversal when symlinks are present in a TAR archive.
Vulnerability
The tar crate for Rust versions prior to 0.4.36 contains a path traversal vulnerability in the Archive::unpack function. When extracting a TAR archive that includes symbolic links (symlinks) with link names such as .., the library does not properly validate the symlink target. This allows subsequent archive entries to create directories outside the intended extraction directory by following the symlink. [2][3]
Exploitation
An attacker can craft a malicious TAR archive containing a symlink entry pointing to .. (or a similar traversal path), followed by a file entry whose path leverages the symlink to target a directory outside the extraction base. The attacker does not require any authentication or special privileges; the victim only needs to extract the archive using the affected tar crate. A proof-of-concept is available in the advisory. [3]
Impact
Successful exploitation allows an attacker to create arbitrary directories on the filesystem where the archive is extracted. This could enable further attacks such as overwriting critical files or placing files in sensitive locations, leading to high integrity impact. No confidentiality or availability impact is expected. [2]
Mitigation
The vulnerability is fixed in tar version 0.4.36, released on August 8, 2021. Users should update to >=0.4.36 immediately. No workaround is available for earlier versions. The CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog. [2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tarcrates.io | < 0.4.36 | 0.4.36 |
Affected products
2- Rust/tar cratedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-62jx-8vmh-4mcwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-38511ghsaADVISORY
- github.com/alexcrichton/tar-rs/issues/238ghsaWEB
- github.com/alexcrichton/tar-rs/pull/259ghsaWEB
- raw.githubusercontent.com/rustsec/advisory-db/main/crates/tar/RUSTSEC-2021-0080.mdghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0080.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.